`dissect.cobaltstrike.version`

This module contains the BeaconVersion class and mappings for determining the Cobalt Strike version of beacon payloads.

Note

Deducing the Cobalt Strike version using BeaconVersion.from_pe_export_stamp() is more accurate than BeaconVersion.from_max_setting_enum(). However, if the pe_export_stamp is not known, deducing from max_setting_enum is still a good version estimate.

Module Contents

Helper class for dealing with Cobalt Strike version strings

`MAX_ENUM_TO_VERSION`	Max setting enum to Cobalt Strike version mapping
`PE_EXPORT_STAMP_TO_VERSION`	PE export timestamp to Cobalt Strike version mapping

dissect.cobaltstrike.version.MAX_ENUM_TO_VERSION: Dict[int, str][source]: Max setting enum to Cobalt Strike version mapping

dissect.cobaltstrike.version.PE_EXPORT_STAMP_TO_VERSION: Dict[int, str][source]: PE export timestamp to Cobalt Strike version mapping

class dissect.cobaltstrike.version.BeaconVersion(version: str)[source]

Bases: str

Helper class for dealing with Cobalt Strike version strings

property version_string: str[source]: The version string without the date. e.g. "Cobalt Strike 4.5"

property version_only: str[source]: The version number only string. e.g. "4.5", or "Unknown" if version is unknown.

REGEX_VERSION = 'Cobalt Strike (?P<major>\\d+)\\.(?P<minor>\\d+)(\\.(?P<patch>\\d+))? \\((?P<date>.*)\\)'[source]

version: str[source]: full version string including date, e.g. "Cobalt Strike 4.5 (Dec 14, 2021)"

tuple: Tuple[int, int] | Tuple[int, int, int] | None[source]: the version as tuple of (major, minor) or (major, minor, patch), e.g. (4, 5) or (4, 7, 1). Otherwise, None.

date: datetime.date | None[source]: date of version as datetime.date object, e.g. datetime.date(2021, 12, 14). Otherwise, None.

classmethod from_pe_export_stamp(pe_export_stamp: int) → BeaconVersion[source]: Construct BeaconVersion by looking up pe_export_stamp in the PE_EXPORT_STAMP_TO_VERSION map.

classmethod from_max_setting_enum(enum: int) → BeaconVersion[source]: Construct BeaconVersion by looking up enum in the MAX_ENUM_TO_VERSION map.