beacon-dump

You can use the command beacon-dump to dump configuration from Cobalt Strike beacon paylaods.

If the command is not in your path, you can also use run the command using the following Python module:

$ python -m dissect.cobaltstrike.beacon --help

XOR keys

The beacon configuration is usually obfuscated using a single-byte XOR key. beacon-dump automatically tries all the default xor keys (0x69 and 0x2e).

In case a beacon uses a non default XOR key you can specify the -a or --all-xor-keys argument to check all possible single byte XOR keys. Note that this option is not recommended for large payloads such as memory dumps.

You can also use the -x or --xorkey option to specify a known XOR key or a set of keys by repeating the argument:

$ beacon-dump -x 0xAC -x 0xCE -x 0x55 -x 0xED <beacon-file>

Output format

The output format can be specified using the -f or --format option. The following formats are supported:

normal: output the beacon configuration in a human readable format of key value pairs (default)

dumpstruct: output the beacon settings using cstruct.dumpstruct

c2profile: output the beacon configuration as a malleable C2 profile

raw: output the raw beacon configuration

beacon-dump - CLI interface

beacon-dump [-h] [-x XORKEY] [-a] [-t {normal,raw,dumpstruct,c2profile}] [-v] FILE

beacon-dump positional arguments

FILE - Beacon to dump (default: None)

beacon-dump options

-h, --help - show this help message and exit
-x XORKEY, --xorkey XORKEY - override default xor key(s) (default: -x 0x69 -x 0x2e -x 0x00)
-a, --all - try all other single byte xor keys when default ones fail
-t TYPE, --type TYPE - output format (default: normal)
-v, --verbose - verbosity level (-v for INFO, -vv for DEBUG) (default: 0)