dissect.cobaltstrike.beacon.CS_DEF
Structures for parsing Cobalt Strike Beacon configuration and settings.
enum BeaconSetting: uint16 {
SETTING_PROTOCOL = 1,
SETTING_PORT = 2,
SETTING_SLEEPTIME = 3,
SETTING_MAXGET = 4,
SETTING_JITTER = 5,
SETTING_MAXDNS = 6,
SETTING_PUBKEY = 7,
SETTING_DOMAINS = 8,
SETTING_USERAGENT = 9,
SETTING_SUBMITURI = 10,
SETTING_C2_RECOVER = 11,
SETTING_C2_REQUEST = 12,
SETTING_C2_POSTREQ = 13,
SETTING_SPAWNTO = 14, // releasenotes.txt
// CobaltStrike version >= 3.4 (27 Jul, 2016)
SETTING_PIPENAME = 15,
SETTING_KILLDATE_YEAR = 16, // Deprecated since Cobalt Strike 4.7
SETTING_BOF_ALLOCATOR = 16, // Introduced in Cobalt Strike 4.7
SETTING_KILLDATE_MONTH = 17, // Deprecated since Cobalt Strike 4.8
SETTING_SYSCALL_METHOD = 17, // Introduced in Cobalt Strike 4.8
SETTING_KILLDATE_DAY = 18,
SETTING_DNS_IDLE = 19,
SETTING_DNS_SLEEP = 20,
// CobaltStrike version >= 3.5 (22 Sept, 2016)
SETTING_SSH_HOST = 21,
SETTING_SSH_PORT = 22,
SETTING_SSH_USERNAME = 23,
SETTING_SSH_PASSWORD = 24,
SETTING_SSH_KEY = 25,
SETTING_C2_VERB_GET = 26,
SETTING_C2_VERB_POST = 27,
SETTING_C2_CHUNK_POST = 28,
SETTING_SPAWNTO_X86 = 29,
SETTING_SPAWNTO_X64 = 30,
// CobaltStrike version >= 3.6 (8 Dec, 2016)
SETTING_CRYPTO_SCHEME = 31,
// CobaltStrike version >= 3.7 (15 Mar, 2016)
SETTING_PROXY_CONFIG = 32,
SETTING_PROXY_USER = 33,
SETTING_PROXY_PASSWORD = 34,
SETTING_PROXY_BEHAVIOR = 35,
// CobaltStrike version >= 3.8 (23 May 2017)
// DEPRECATED_SETTING_INJECT_OPTIONS = 36,
// Renamed from DEPRECATED_SETTING_INJECT_OPTIONS in CobaltStrike 4.5
SETTING_WATERMARKHASH = 36,
// CobaltStrike version >= 3.9 (Sept 26, 2017)
SETTING_WATERMARK = 37,
// CobaltStrike version >= 3.11 (April 9, 2018)
SETTING_CLEANUP = 38,
// CobaltStrike version >= 3.11 (May 24, 2018)
SETTING_CFG_CAUTION = 39,
// CobaltStrike version >= 3.12 (Sept 6, 2018)
SETTING_KILLDATE = 40,
SETTING_GARGLE_NOOK = 41, // https://www.youtube.com/watch?v=nLTgWdXrx3U
SETTING_GARGLE_SECTIONS = 42,
SETTING_PROCINJ_PERMS_I = 43,
SETTING_PROCINJ_PERMS = 44,
SETTING_PROCINJ_MINALLOC = 45,
SETTING_PROCINJ_TRANSFORM_X86 = 46,
SETTING_PROCINJ_TRANSFORM_X64 = 47,
SETTING_PROCINJ_ALLOWED = 48, // Deprecated since Cobalt Strike 4.7
SETTING_PROCINJ_BOF_REUSE_MEM = 48, // Introduced in Cobalt Strike 4.7
// CobaltStrike version >= 3.13 (Jan 2, 2019)
SETTING_BINDHOST = 49,
// CobaltStrike version >= 3.14 (May 4, 2019)
SETTING_HTTP_NO_COOKIES = 50,
SETTING_PROCINJ_EXECUTE = 51,
SETTING_PROCINJ_ALLOCATOR = 52,
SETTING_PROCINJ_STUB = 53, // .self = MD5(cobaltstrike.jar)
// CobaltStrike version >= 4.0 (Dec 5, 2019)
SETTING_HOST_HEADER = 54,
SETTING_EXIT_FUNK = 55,
// CobaltStrike version >= 4.1 (June 25, 2020)
SETTING_SSH_BANNER = 56,
SETTING_SMB_FRAME_HEADER = 57,
SETTING_TCP_FRAME_HEADER = 58,
// CobaltStrike version >= 4.2 (Nov 6, 2020)
SETTING_HEADERS_REMOVE = 59,
// CobaltStrike version >= 4.3 (Mar 3, 2021)
SETTING_DNS_BEACON_BEACON = 60,
SETTING_DNS_BEACON_GET_A = 61,
SETTING_DNS_BEACON_GET_AAAA = 62,
SETTING_DNS_BEACON_GET_TXT = 63,
SETTING_DNS_BEACON_PUT_METADATA = 64,
SETTING_DNS_BEACON_PUT_OUTPUT = 65,
SETTING_DNSRESOLVER = 66,
SETTING_DOMAIN_STRATEGY = 67,
SETTING_DOMAIN_STRATEGY_SECONDS = 68,
SETTING_DOMAIN_STRATEGY_FAIL_X = 69,
SETTING_DOMAIN_STRATEGY_FAIL_SECONDS = 70,
// CobaltStrike version >= 4.5 (Dec 14, 2021)
SETTING_MAX_RETRY_STRATEGY_ATTEMPTS = 71,
SETTING_MAX_RETRY_STRATEGY_INCREASE = 72,
SETTING_MAX_RETRY_STRATEGY_DURATION = 73,
// CobaltStrike version >= 4.7 (Aug 17, 2022)
SETTING_MASKED_WATERMARK = 74,
// CobaltStrike version >= 4.9 (Sep 19, 2023)
SETTING_DATA_STORE_SIZE = 76,
// CobaltStrike version >= 4.10 (Jul 16, 2024)
SETTING_HTTP_DATA_REQUIRED = 77,
SETTING_BEACON_GATE = 78,
};
enum DeprecatedBeaconSetting: uint16 {
SETTING_KILLDATE_YEAR = 16,
SETTING_INJECT_OPTIONS = 36,
};
enum TransformStep: uint32 {
APPEND = 1,
PREPEND = 2,
BASE64 = 3,
PRINT = 4,
PARAMETER = 5,
HEADER = 6,
BUILD = 7,
NETBIOS = 8,
_PARAMETER = 9,
_HEADER = 10,
NETBIOSU = 11,
URI_APPEND = 12,
BASE64URL = 13,
STRREP = 14,
MASK = 15,
// CobaltStrike version >= 4.0 (Dec 5, 2019)
_HOSTHEADER = 16,
};
enum SettingsType: uint16 {
TYPE_NONE = 0,
TYPE_SHORT = 1,
TYPE_INT = 2,
TYPE_PTR = 3,
};
struct Setting {
BeaconSetting index; // uint16
SettingsType type; // uint16
uint16 length; // uint16
char value[length];
};
flag BeaconProtocol {
http = 0,
dns = 1,
smb = 2,
tcp = 4,
https = 8,
bind = 16
};
flag ProxyServer {
MANUAL = 0,
DIRECT = 1,
PRECONFIG = 2,
MANUAL_CREDS = 4
};
enum CryptoScheme: uint16 {
CRYPTO_LICENSED_PRODUCT = 0,
CRYPTO_TRIAL_PRODUCT = 1
};
enum InjectAllocator: uint8 {
VirtualAllocEx = 0,
NtMapViewOfSection = 1,
};
enum InjectExecutor: uint8 {
CreateThread = 1,
SetThreadContext = 2,
CreateRemoteThread = 3,
RtlCreateUserThread = 4,
NtQueueApcThread = 5,
CreateThread_ = 6,
CreateRemoteThread_ = 7,
NtQueueApcThread_s = 8
};
enum BofAllocator: uint16 {
VirtualAlloc = 0,
MapViewOfFile = 1,
HeapAlloc = 2,
};
// https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-gate.htm
struct BeaconGateOptions {
uint8 InternetOpenA; // commms
uint8 InternetConnectA;
uint8 VirtualAlloc; // core
uint8 VirtualAllocEx;
uint8 VirtualProtect;
uint8 VirtualProtectEx;
uint8 VirtualFree;
uint8 GetThreadContext;
uint8 SetThreadContext;
uint8 ResumeThread;
uint8 CreateThread;
uint8 CreateRemoteThread;
uint8 OpenProcess;
uint8 OpenThread;
uint8 CloseHandle;
uint8 CreateFileMappingA;
uint8 MapViewOfFile;
uint8 UnmapViewOfFile;
uint8 VirtualQuery;
uint8 DuplicateHandle;
uint8 ReadProcessMemory;
uint8 WriteProcessMemory;
uint8 ExitThread; // cleanup
};