beacon-artifact

The command beacon-artifact can be used to dump payloads from executables generated by ArtifactKit. Usually the artifact executable is a stageless beacon, but it could also contain stager shellcode.

$ beacon-artifact <artifactkit-file> | xxd

The beacon-artifact tool only dumps the extracted payload (default to stdout). If the extracted payload is a beacon (stageless artifact) and not a stager, you can pipe the output directly to beacon-dump - to dump the beacon configuration.

$ beacon-artifact <artifactkit-file> | beacon-dump -

If the command is not in your path, you can also run the command using the following Python module:

$ python -m dissect.cobaltstrike.artifact --help

beacon-artifact - CLI interface

beacon-artifact [-h] [-v] [-o OUTPUT] FILE

beacon-artifact positional arguments

FILE - FILE to decode (default: None)

beacon-artifact options

-h, --help - show this help message and exit
-v, --verbose - verbosity level (-v for INFO, -vv for DEBUG) (default: 0)
-o OUTPUT, --output OUTPUT - write decoded ArtifactKit payload to FILE (default: -)