dissect.cobaltstrike.version
This module contains the BeaconVersion
class and mappings for determining the
Cobalt Strike version of beacon payloads.
Note
Deducing the Cobalt Strike version using BeaconVersion.from_pe_export_stamp()
is more accurate than BeaconVersion.from_max_setting_enum()
. However, if the
pe_export_stamp is not known, deducing from max_setting_enum is still a good
version estimate.
Attributes
Max setting enum to Cobalt Strike version mapping |
|
PE export timestamp to Cobalt Strike version mapping |
Classes
Helper class for dealing with Cobalt Strike version strings |
Module Contents
- dissect.cobaltstrike.version.MAX_ENUM_TO_VERSION: Dict[int, str][source]
Max setting enum to Cobalt Strike version mapping
- dissect.cobaltstrike.version.PE_EXPORT_STAMP_TO_VERSION: Dict[int, str][source]
PE export timestamp to Cobalt Strike version mapping
- class dissect.cobaltstrike.version.BeaconVersion(version: str)[source]
Bases:
str
Helper class for dealing with Cobalt Strike version strings
- REGEX_VERSION = 'Cobalt Strike (?P<major>\\d+)\\.(?P<minor>\\d+)(\\.(?P<patch>\\d+))? \\((?P<date>.*)\\)'[source]
- tuple: Tuple[int, int] | Tuple[int, int, int] | None = None[source]
the version as tuple of (major, minor) or (major, minor, patch), e.g.
(4, 5)
or(4, 7, 1)
. Otherwise,None
.
- date: datetime.date | None = None[source]
date of version as
datetime.date
object, e.g.datetime.date(2021, 12, 14)
. Otherwise,None
.
- classmethod from_pe_export_stamp(pe_export_stamp: int) BeaconVersion [source]
Construct
BeaconVersion
by looking up pe_export_stamp in thePE_EXPORT_STAMP_TO_VERSION
map.
- classmethod from_max_setting_enum(enum: int) BeaconVersion [source]
Construct
BeaconVersion
by looking up enum in theMAX_ENUM_TO_VERSION
map.