dissect.cobaltstrike.pcap

Module Contents

Classes

BeaconCapture

A class representing a beacon capture file.

Functions

packet_to_record(→ flow.record.Record)	Convert pcap packet to a flow.record.
c2packet_to_record(→ flow.record.Record)	Convert c2packet to a flow.record.
raw_http_from_packet(→ bytes)	Return the extracted raw HTTP bytes from packet.
main()

Attributes

logger
PacketRecord	Record Descriptor for basic PCAP packet information

dissect.cobaltstrike.pcap.logger

dissect.cobaltstrike.pcap.PacketRecord

Record Descriptor for basic PCAP packet information

dissect.cobaltstrike.pcap.packet_to_record(packet: pyshark.packet.packet.Packet) → flow.record.Record

Convert pcap packet to a flow.record.

dissect.cobaltstrike.pcap.c2packet_to_record(c2packet: dissect.cobaltstrike.c2.C2Packet) → flow.record.Record

Convert c2packet to a flow.record.

dissect.cobaltstrike.pcap.raw_http_from_packet(packet: pyshark.packet.packet.Packet) → bytes

Return the extracted raw HTTP bytes from packet.

class dissect.cobaltstrike.pcap.BeaconCapture(pcap: str, bconfig: dissect.cobaltstrike.beacon.BeaconConfig | None = None, aes_key: bytes | None = None, hmac_key: bytes | None = None, rsa_private_key: Crypto.PublicKey.RSA.RsaKey | None = None, verify_hmac: bool = True, all_metadata: bool = False, extract_beacons: bool = False)

A class representing a beacon capture file.

Parameters:

• pcap – A PCAP file containing Cobalt Strike traffic

• nss – NSSKEYLOGFILE containing the client random and masterkey in NSS format

• aes_key – AES key used in the beacon session

• hmac_key – hmac key used in the beacon session (optional)

• c2 – IP address of the Cobalt Strike C2 server

• config – A Cobalt Strike BeaconConfig configuration

• filter – A Wireshark display filter used for filtering the pcap

__iter__() → Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]]

Alias for BeaconCapture.iter_parse_pcap().

iter_parse_pcap(pcap: str, all_metadata: bool | None = None, nss_keylog_file: str | None = None, c2_ip: str | None = None, display_filter: str = 'http', extract_beacons: bool = False) → Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]]

Yields (packet, c2packet) for every decrypted http C2 packet in the PCAP.

Parameters:

• pcap – path to PCAP file

• all_metadata – If True it will yield all decrypted BeaconMetadata. Otherwise, yield only the metadata that has not been seen yet. Useful if you want to ignore subsequent check-ins.

• nss_keylog_file – path to a SSLKEY_LOG file for decrypting TLS traffic in the pcap.

• c2_ip – IP address of the C2, if defined it will be used to filter packets and speed up processing.

• display_filter – A wireshark display filter to apply to the pcap. It’s recommended to use at least http (default).

Yields:

Tuple of (packet, c2packet)

find_staged_beacon(response: dissect.cobaltstrike.c2.HttpResponse) → dissect.cobaltstrike.beacon.BeaconConfig | None

Returns a BeaconConfig if found in the HTTP response body. If the response has an associated request it will check if the request is a stager uri first.

Parameters:

response – The HttpResponse object to check for Stager URI and Beacon payload.

Returns:

The beacon config if found, otherwise None.

Return type:

BeaconConfig

dissect.cobaltstrike.pcap.main()