dissect.cobaltstrike.c_c2.C2_DEF
Structures for parsing C2 headers.
// Callback data from: Beacon -> Team Server
typedef struct CallbackPacket {
uint32 counter;
uint32 size;
BeaconCallback callback;
char data[size];
};
// Task from: Team Server -> Beacon
typedef struct TaskPacket {
uint32 epoch;
uint32 total_size;
BeaconCommand command;
uint32 size;
char data[size];
};
struct BeaconMetadata {
uint32 magic;
uint32 size;
char aes_rand[16];
uint16 ansi_cp; // GetACP
uint16 oem_cp; // GetOEMCP
uint32 bid;
uint32 pid;
uint16 port;
uint8 flag;
uint8 ver_major;
uint8 ver_minor;
uint16 ver_build;
uint32 ptr_x64; // for x64 addressing
uint32 ptr_gmh; // GetModuleHandle
uint32 ptr_gpa; // GetProcAddress
uint32 ip;
char info[size - 51];
};
Enums:
class BeaconCommand(IntEnum):
COMMAND_SPAWN = 1
COMMAND_SHELL = 2
COMMAND_DIE = 3
COMMAND_SLEEP = 4
COMMAND_CD = 5
COMMAND_KEYLOG_START = 6
COMMAND_NOOP = 6
COMMAND_KEYLOG_STOP = 7
COMMAND_CHECKIN = 8
COMMAND_INJECT_PID = 9
COMMAND_UPLOAD = 10
COMMAND_DOWNLOAD = 11
COMMAND_EXECUTE = 12
COMMAND_SPAWN_PROC_X86 = 13
COMMAND_CONNECT = 14
COMMAND_SEND = 15
COMMAND_CLOSE = 16
COMMAND_LISTEN = 17
COMMAND_INJECT_PING = 18
COMMAND_CANCEL_DOWNLOAD = 19
COMMAND_PIPE_ROUTE = 22
COMMAND_PIPE_CLOSE = 23
COMMAND_PIPE_REOPEN = 24
COMMAND_TOKEN_GETUID = 27
COMMAND_TOKEN_REV2SELF = 28
COMMAND_TIMESTOMP = 29
COMMAND_STEAL_TOKEN = 31
COMMAND_PS_LIST = 32
COMMAND_PS_KILL = 33
COMMAND_PSH_IMPORT = 37
COMMAND_RUNAS = 38
COMMAND_PWD = 39
COMMAND_JOB_REGISTER = 40
COMMAND_JOBS = 41
COMMAND_JOB_KILL = 42
COMMAND_INJECTX64_PID = 43
COMMAND_SPAWNX64 = 44
COMMAND_INJECT_PID_PING = 45
COMMAND_INJECTX64_PID_PING = 46
COMMAND_PAUSE = 47
COMMAND_LOGINUSER = 49
COMMAND_LSOCKET_BIND = 50
COMMAND_LSOCKET_CLOSE = 51
COMMAND_STAGE_PAYLOAD = 52
COMMAND_FILE_LIST = 53
COMMAND_FILE_MKDIR = 54
COMMAND_FILE_DRIVES = 55
COMMAND_FILE_RM = 56
COMMAND_STAGE_PAYLOAD_SMB = 57
COMMAND_WEBSERVER_LOCAL = 59
COMMAND_ELEVATE_PRE = 60
COMMAND_ELEVATE_POST = 61
COMMAND_JOB_REGISTER_IMPERSONATE = 62
COMMAND_SPAWN_POWERSHELLX86 = 63
COMMAND_SPAWN_POWERSHELLX64 = 64
COMMAND_INJECT_POWERSHELLX86_PID = 65
COMMAND_INJECT_POWERSHELLX64_PID = 66
COMMAND_UPLOAD_CONTINUE = 67
COMMAND_PIPE_OPEN_EXPLICIT = 68
COMMAND_SPAWN_PROC_X64 = 69
COMMAND_JOB_SPAWN_X86 = 70
COMMAND_JOB_SPAWN_X64 = 71
COMMAND_SETENV = 72
COMMAND_FILE_COPY = 73
COMMAND_FILE_MOVE = 74
COMMAND_PPID = 75
COMMAND_RUN_UNDER_PID = 76
COMMAND_GETPRIVS = 77
COMMAND_EXECUTE_JOB = 78
COMMAND_PSH_HOST_TCP = 79
COMMAND_DLL_LOAD = 80
COMMAND_REG_QUERY = 81
COMMAND_LSOCKET_TCPPIVOT = 82
COMMAND_ARGUE_ADD = 83
COMMAND_ARGUE_REMOVE = 84
COMMAND_ARGUE_LIST = 85
COMMAND_TCP_CONNECT = 86
COMMAND_JOB_SPAWN_TOKEN_X86 = 87
COMMAND_JOB_SPAWN_TOKEN_X64 = 88
COMMAND_SPAWN_TOKEN_X86 = 89
COMMAND_SPAWN_TOKEN_X64 = 90
COMMAND_INJECTX64_PING = 91
COMMAND_BLOCKDLLS = 92
COMMAND_SPAWNAS_X86 = 93
COMMAND_SPAWNAS_X64 = 94
COMMAND_INLINE_EXECUTE = 95
COMMAND_RUN_INJECT_X86 = 96
COMMAND_RUN_INJECT_X64 = 97
COMMAND_SPAWNU_X86 = 98
COMMAND_SPAWNU_X64 = 99
COMMAND_INLINE_EXECUTE_OBJECT = 100
COMMAND_JOB_REGISTER_MSGMODE = 101
COMMAND_LSOCKET_BIND_LOCALHOST = 102
class BeaconCallback(IntEnum):
CALLBACK_OUTPUT = 0
CALLBACK_KEYSTROKES = 1
CALLBACK_FILE = 2
CALLBACK_SCREENSHOT = 3
CALLBACK_CLOSE = 4
CALLBACK_READ = 5
CALLBACK_CONNECT = 6
CALLBACK_PING = 7
CALLBACK_FILE_WRITE = 8
CALLBACK_FILE_CLOSE = 9
CALLBACK_PIPE_OPEN = 10
CALLBACK_PIPE_CLOSE = 11
CALLBACK_PIPE_READ = 12
CALLBACK_POST_ERROR = 13
CALLBACK_PIPE_PING = 14
CALLBACK_TOKEN_STOLEN = 15
CALLBACK_TOKEN_GETUID = 16
CALLBACK_PROCESS_LIST = 17
CALLBACK_POST_REPLAY_ERROR = 18
CALLBACK_PWD = 19
CALLBACK_JOBS = 20
CALLBACK_HASHDUMP = 21
CALLBACK_PENDING = 22
CALLBACK_ACCEPT = 23
CALLBACK_NETVIEW = 24
CALLBACK_PORTSCAN = 25
CALLBACK_DEAD = 26
CALLBACK_SSH_STATUS = 27
CALLBACK_CHUNK_ALLOCATE = 28
CALLBACK_CHUNK_SEND = 29
CALLBACK_OUTPUT_OEM = 30
CALLBACK_ERROR = 31
CALLBACK_OUTPUT_UTF8 = 32