beacon-pcap
The command beacon-pcap
can be used to parse PCAP files containing Cobalt Strike C2 traffic.
The AES key of the beacon session or RSA Private key of the Team Server is required to decrypt the traffic.
Tip
If you enable -v / --verbose
logging, and you have the rich
module installed. It will automatically
use rich to render the console logging which can be easier on the eyes.
The beacon config or payload can be specified using the -b / --beacon
flag, if not specified it tries to
find one in the PCAP by checking for any staged beacon payloads. It will will always use the first one it finds in
the PCAP. If there are multiple staged beacons in the PCAP, you can extract them first using -e / --extract-beacons
and specify the one you want to use with --beacon
.
To ensure you have all the dependencies for beacon-pcap
you can use the following pip command:
$ pip install -e 'dissect.cobaltstrike[pcap]'
Example usage for if you have the RSA private key:
$ beacon-pcap --private-key privkey.der traffic.pcap
This will read traffic.pcap
and use the RSA Private key privkey.der
for decrypting Beacon Metadata and C2 Packets.
As no beacon is specified, it will try to find a staged beacon payload in the PCAP.
By default all the decrypted C2 packets are written as flow.records` records to stdout.
The output can be redirected to a file using the -w / --writer
argument, example:
$ beacon-pcap -v -p privkey.der -w beacon-c2.records.gz traffic.pcap
This will write the decrypted C2 packets to beacon-c2.records.gz
instead of stdout.
The file can then be dumped using the tool rdump
which is part of the flow.record package and is installed as a dependency.
$ rdump beacon-c2.records.gz
If the command is not in your path, you can also run the command using the following Python module:
$ python -m dissect.cobaltstrike.pcap --help
beacon-pcap - CLI interface
beacon-pcap [-h] [-f FILTER] [-c C2] [-n NSS_KEYLOG_FILE] [-a AES] [-m HMAC] [-k]
[-p PRIVATE_KEY] [-b BEACON] [-A] [-v] [-e] [-w WRITER]
PCAP
beacon-pcap positional arguments
PCAP
- PCAP to parse (default:None
)
beacon-pcap options
-f
FILTER
,--filter
FILTER
- Wireshark display filter to apply while parsing PCAP (default:None
)-c
C2
,--c2
C2
- Cobalt Strike C2 ip address (default:None
)-n
NSS_KEYLOG_FILE
,--nss-keylog-file
NSS_KEYLOG_FILE
- NSS keylog file to use for decrypting SSL traffic (default:None
)-m
HMAC
,--hmac
HMAC
- HMAC key to use (in hex) (default:None
)-k
,--no-hmac-verify
- Disable HMAC signature verification-p
PRIVATE_KEY
,--private-key
PRIVATE_KEY
- Path to RSA private key (default:None
)-b
BEACON
,--beacon
BEACON
- Use the BeaconConfig from this Beacon (default:None
)-A
,--all-metadata
- Dump all metadata and not only unique-e
,--extract-beacons
- Extract found beacons in pcap