dissect.cobaltstrike.pcap
Module Contents
Classes
A class representing a beacon capture file. |
Functions
|
Convert pcap packet to a flow.record. |
|
Convert c2packet to a flow.record. |
|
Return the extracted raw HTTP bytes from packet. |
|
Attributes
Record Descriptor for basic PCAP packet information |
- dissect.cobaltstrike.pcap.packet_to_record(packet: pyshark.packet.packet.Packet) flow.record.Record [source]
Convert pcap packet to a flow.record.
- dissect.cobaltstrike.pcap.c2packet_to_record(c2packet: dissect.cobaltstrike.c2.C2Packet) flow.record.Record [source]
Convert c2packet to a flow.record.
- dissect.cobaltstrike.pcap.raw_http_from_packet(packet: pyshark.packet.packet.Packet) bytes [source]
Return the extracted raw HTTP bytes from packet.
- class dissect.cobaltstrike.pcap.BeaconCapture(pcap: str, bconfig: dissect.cobaltstrike.beacon.BeaconConfig | None = None, aes_key: bytes | None = None, hmac_key: bytes | None = None, rsa_private_key: Crypto.PublicKey.RSA.RsaKey | None = None, verify_hmac: bool = True, all_metadata: bool = False, extract_beacons: bool = False)[source]
A class representing a beacon capture file.
- Parameters:
pcap – A PCAP file containing Cobalt Strike traffic
nss – NSSKEYLOGFILE containing the client random and masterkey in NSS format
aes_key – AES key used in the beacon session
hmac_key – hmac key used in the beacon session (optional)
c2 – IP address of the Cobalt Strike C2 server
config – A Cobalt Strike
BeaconConfig
configurationfilter – A Wireshark display filter used for filtering the pcap
- __iter__() Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]] [source]
Alias for
BeaconCapture.iter_parse_pcap()
.
- iter_parse_pcap(pcap: str, all_metadata: bool | None = None, nss_keylog_file: str | None = None, c2_ip: str | None = None, display_filter: str = 'http', extract_beacons: bool = False) Iterator[Tuple[pyshark.packet.packet.Packet, dissect.cobaltstrike.c2.C2Packet]] [source]
Yields (packet, c2packet) for every decrypted http C2 packet in the PCAP.
- Parameters:
pcap – path to PCAP file
all_metadata – If
True
it will yield all decryptedBeaconMetadata
. Otherwise, yield only the metadata that has not been seen yet. Useful if you want to ignore subsequent check-ins.nss_keylog_file – path to a
SSLKEY_LOG
file for decrypting TLS traffic in the pcap.c2_ip – IP address of the C2, if defined it will be used to filter packets and speed up processing.
display_filter – A wireshark display filter to apply to the pcap. It’s recommended to use at least
http
(default).
- Yields:
Tuple of (packet, c2packet)
- find_staged_beacon(response: dissect.cobaltstrike.c2.HttpResponse) dissect.cobaltstrike.beacon.BeaconConfig | None [source]
Returns a BeaconConfig if found in the HTTP response body. If the response has an associated request it will check if the request is a stager uri first.
- Parameters:
response – The
HttpResponse
object to check for Stager URI and Beacon payload.- Returns:
The beacon config if found, otherwise None.
- Return type: