Installation
The easiest way to install dissect.cobaltstrike
is to use pip:
$ pip install dissect.cobaltstrike
Python 3.9 or higher is required and it has the following dependencies:
dissect.cstruct - for structure parsing
lark - for parsing malleable c2 profiles
The following pip extras flavours are provided as well:
$ pip install 'dissect.cobaltstrike[c2]'
$ pip install 'dissect.cobaltstrike[pcap]'
$ pip install 'dissect.cobaltstrike[full]'
[c2]
for if you want to communicate with Cobalt Strike Team Servers, eg: beacon-client.[pcap]
for if you want to parse and decrypt PCAPS containing Beacon traffic, eg: beacon-pcap.[full]
provides the above but also installsrich
for prettier console logging.
Install the latest pre-release version
Every change to the main branch is packaged and uploaded to PyPi as a pre-release version, to install the latest pre-release version use the --pre
flag:
$ pip install --pre dissect.cobaltstrike
Installing from source
If you want to install dissect.cobaltstrike
from source, you can use the following steps:
$ git clone https://github.com/fox-it/dissect.cobaltstrike.git
$ cd dissect.cobaltstrike
$ pip install --editable '.[full]'
Using a virtual environment is recommended. Using the --editable
flag ensures that any changes you make to the source code directly affects the installed package.
Running tests
The test suite uses pytest
and using tox
is the recommended way to run the test suite:
$ pip install tox
$ tox
This will run tests on both Python 3 and PyPy3. To limit to Python 3 only, run:
$ tox -e py3
You can also specify custom arguments to pytest
by appending the arguments after --
(two dashes), e.g. to only
run tests with checksum8 in the name including verbose and stdout logging:
$ tox -e py3 -- -vs -k checksum8
Note
The test suite contains zipped beacon payloads that are used as test fixtures and can be unzipped during some tests. Running the test suite on Windows could trigger Windows Defender or your Antivirus.
Linting
For linting (black and flake8):
$ tox -e lint
Documentation
To generate the documentation locally (sphinx):
$ tox -e docs