dissect.cobaltstrike.c_c2 ========================= .. py:module:: dissect.cobaltstrike.c_c2 .. autoapi-nested-parse:: Structure definitions and classes for dealing with Cobalt Strike C2 packets. Mainly used by :mod:`dissect.cobaltstrike.c2`. Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.c_c2.C2_DEF dissect.cobaltstrike.c_c2.c2struct dissect.cobaltstrike.c_c2.BeaconMetadata dissect.cobaltstrike.c_c2.CallbackPacket dissect.cobaltstrike.c_c2.TaskPacket Classes ------- .. autoapisummary:: dissect.cobaltstrike.c_c2.BeaconCommand dissect.cobaltstrike.c_c2.BeaconCallback Functions --------- .. autoapisummary:: dissect.cobaltstrike.c_c2.typedef_for_enum Module Contents --------------- .. py:class:: BeaconCommand Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: COMMAND_SPAWN :value: 1 .. py:attribute:: COMMAND_SHELL :value: 2 .. py:attribute:: COMMAND_DIE :value: 3 .. py:attribute:: COMMAND_SLEEP :value: 4 .. py:attribute:: COMMAND_CD :value: 5 .. py:attribute:: COMMAND_KEYLOG_START :value: 6 .. py:attribute:: COMMAND_NOOP :value: 6 .. py:attribute:: COMMAND_KEYLOG_STOP :value: 7 .. py:attribute:: COMMAND_CHECKIN :value: 8 .. py:attribute:: COMMAND_INJECT_PID :value: 9 .. py:attribute:: COMMAND_UPLOAD :value: 10 .. py:attribute:: COMMAND_DOWNLOAD :value: 11 .. py:attribute:: COMMAND_EXECUTE :value: 12 .. py:attribute:: COMMAND_SPAWN_PROC_X86 :value: 13 .. py:attribute:: COMMAND_CONNECT :value: 14 .. py:attribute:: COMMAND_SEND :value: 15 .. py:attribute:: COMMAND_CLOSE :value: 16 .. py:attribute:: COMMAND_LISTEN :value: 17 .. py:attribute:: COMMAND_INJECT_PING :value: 18 .. py:attribute:: COMMAND_CANCEL_DOWNLOAD :value: 19 .. py:attribute:: COMMAND_PIPE_ROUTE :value: 22 .. py:attribute:: COMMAND_PIPE_CLOSE :value: 23 .. py:attribute:: COMMAND_PIPE_REOPEN :value: 24 .. py:attribute:: COMMAND_TOKEN_GETUID :value: 27 .. py:attribute:: COMMAND_TOKEN_REV2SELF :value: 28 .. py:attribute:: COMMAND_TIMESTOMP :value: 29 .. py:attribute:: COMMAND_STEAL_TOKEN :value: 31 .. py:attribute:: COMMAND_PS_LIST :value: 32 .. py:attribute:: COMMAND_PS_KILL :value: 33 .. py:attribute:: COMMAND_PSH_IMPORT :value: 37 .. py:attribute:: COMMAND_RUNAS :value: 38 .. py:attribute:: COMMAND_PWD :value: 39 .. py:attribute:: COMMAND_JOB_REGISTER :value: 40 .. py:attribute:: COMMAND_JOBS :value: 41 .. py:attribute:: COMMAND_JOB_KILL :value: 42 .. py:attribute:: COMMAND_INJECTX64_PID :value: 43 .. py:attribute:: COMMAND_SPAWNX64 :value: 44 .. py:attribute:: COMMAND_INJECT_PID_PING :value: 45 .. py:attribute:: COMMAND_INJECTX64_PID_PING :value: 46 .. py:attribute:: COMMAND_PAUSE :value: 47 .. py:attribute:: COMMAND_LOGINUSER :value: 49 .. py:attribute:: COMMAND_LSOCKET_BIND :value: 50 .. py:attribute:: COMMAND_LSOCKET_CLOSE :value: 51 .. py:attribute:: COMMAND_STAGE_PAYLOAD :value: 52 .. py:attribute:: COMMAND_FILE_LIST :value: 53 .. py:attribute:: COMMAND_FILE_MKDIR :value: 54 .. py:attribute:: COMMAND_FILE_DRIVES :value: 55 .. py:attribute:: COMMAND_FILE_RM :value: 56 .. py:attribute:: COMMAND_STAGE_PAYLOAD_SMB :value: 57 .. py:attribute:: COMMAND_WEBSERVER_LOCAL :value: 59 .. py:attribute:: COMMAND_ELEVATE_PRE :value: 60 .. py:attribute:: COMMAND_ELEVATE_POST :value: 61 .. py:attribute:: COMMAND_JOB_REGISTER_IMPERSONATE :value: 62 .. py:attribute:: COMMAND_SPAWN_POWERSHELLX86 :value: 63 .. py:attribute:: COMMAND_SPAWN_POWERSHELLX64 :value: 64 .. py:attribute:: COMMAND_INJECT_POWERSHELLX86_PID :value: 65 .. py:attribute:: COMMAND_INJECT_POWERSHELLX64_PID :value: 66 .. py:attribute:: COMMAND_UPLOAD_CONTINUE :value: 67 .. py:attribute:: COMMAND_PIPE_OPEN_EXPLICIT :value: 68 .. py:attribute:: COMMAND_SPAWN_PROC_X64 :value: 69 .. py:attribute:: COMMAND_JOB_SPAWN_X86 :value: 70 .. py:attribute:: COMMAND_JOB_SPAWN_X64 :value: 71 .. py:attribute:: COMMAND_SETENV :value: 72 .. py:attribute:: COMMAND_FILE_COPY :value: 73 .. py:attribute:: COMMAND_FILE_MOVE :value: 74 .. py:attribute:: COMMAND_PPID :value: 75 .. py:attribute:: COMMAND_RUN_UNDER_PID :value: 76 .. py:attribute:: COMMAND_GETPRIVS :value: 77 .. py:attribute:: COMMAND_EXECUTE_JOB :value: 78 .. py:attribute:: COMMAND_PSH_HOST_TCP :value: 79 .. py:attribute:: COMMAND_DLL_LOAD :value: 80 .. py:attribute:: COMMAND_REG_QUERY :value: 81 .. py:attribute:: COMMAND_LSOCKET_TCPPIVOT :value: 82 .. py:attribute:: COMMAND_ARGUE_ADD :value: 83 .. py:attribute:: COMMAND_ARGUE_REMOVE :value: 84 .. py:attribute:: COMMAND_ARGUE_LIST :value: 85 .. py:attribute:: COMMAND_TCP_CONNECT :value: 86 .. py:attribute:: COMMAND_JOB_SPAWN_TOKEN_X86 :value: 87 .. py:attribute:: COMMAND_JOB_SPAWN_TOKEN_X64 :value: 88 .. py:attribute:: COMMAND_SPAWN_TOKEN_X86 :value: 89 .. py:attribute:: COMMAND_SPAWN_TOKEN_X64 :value: 90 .. py:attribute:: COMMAND_INJECTX64_PING :value: 91 .. py:attribute:: COMMAND_BLOCKDLLS :value: 92 .. py:attribute:: COMMAND_SPAWNAS_X86 :value: 93 .. py:attribute:: COMMAND_SPAWNAS_X64 :value: 94 .. py:attribute:: COMMAND_INLINE_EXECUTE :value: 95 .. py:attribute:: COMMAND_RUN_INJECT_X86 :value: 96 .. py:attribute:: COMMAND_RUN_INJECT_X64 :value: 97 .. py:attribute:: COMMAND_SPAWNU_X86 :value: 98 .. py:attribute:: COMMAND_SPAWNU_X64 :value: 99 .. py:attribute:: COMMAND_INLINE_EXECUTE_OBJECT :value: 100 .. py:attribute:: COMMAND_JOB_REGISTER_MSGMODE :value: 101 .. py:attribute:: COMMAND_LSOCKET_BIND_LOCALHOST :value: 102 .. py:class:: BeaconCallback Bases: :py:obj:`enum.IntEnum` Enum where members are also (and must be) ints .. py:attribute:: CALLBACK_OUTPUT :value: 0 .. py:attribute:: CALLBACK_KEYSTROKES :value: 1 .. py:attribute:: CALLBACK_FILE :value: 2 .. py:attribute:: CALLBACK_SCREENSHOT :value: 3 .. py:attribute:: CALLBACK_CLOSE :value: 4 .. py:attribute:: CALLBACK_READ :value: 5 .. py:attribute:: CALLBACK_CONNECT :value: 6 .. py:attribute:: CALLBACK_PING :value: 7 .. py:attribute:: CALLBACK_FILE_WRITE :value: 8 .. py:attribute:: CALLBACK_FILE_CLOSE :value: 9 .. py:attribute:: CALLBACK_PIPE_OPEN :value: 10 .. py:attribute:: CALLBACK_PIPE_CLOSE :value: 11 .. py:attribute:: CALLBACK_PIPE_READ :value: 12 .. py:attribute:: CALLBACK_POST_ERROR :value: 13 .. py:attribute:: CALLBACK_PIPE_PING :value: 14 .. py:attribute:: CALLBACK_TOKEN_STOLEN :value: 15 .. py:attribute:: CALLBACK_TOKEN_GETUID :value: 16 .. py:attribute:: CALLBACK_PROCESS_LIST :value: 17 .. py:attribute:: CALLBACK_POST_REPLAY_ERROR :value: 18 .. py:attribute:: CALLBACK_PWD :value: 19 .. py:attribute:: CALLBACK_JOBS :value: 20 .. py:attribute:: CALLBACK_HASHDUMP :value: 21 .. py:attribute:: CALLBACK_PENDING :value: 22 .. py:attribute:: CALLBACK_ACCEPT :value: 23 .. py:attribute:: CALLBACK_NETVIEW :value: 24 .. py:attribute:: CALLBACK_PORTSCAN :value: 25 .. py:attribute:: CALLBACK_DEAD :value: 26 .. py:attribute:: CALLBACK_SSH_STATUS :value: 27 .. py:attribute:: CALLBACK_CHUNK_ALLOCATE :value: 28 .. py:attribute:: CALLBACK_CHUNK_SEND :value: 29 .. py:attribute:: CALLBACK_OUTPUT_OEM :value: 30 .. py:attribute:: CALLBACK_ERROR :value: 31 .. py:attribute:: CALLBACK_OUTPUT_UTF8 :value: 32 .. py:data:: C2_DEF :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ // Callback data from: Beacon -> Team Server typedef struct CallbackPacket { uint32 counter; uint32 size; BeaconCallback callback; char data[size]; }; // Task from: Team Server -> Beacon typedef struct TaskPacket { uint32 epoch; uint32 total_size; BeaconCommand command; uint32 size; char data[size]; }; struct BeaconMetadata { uint32 magic; uint32 size; char aes_rand[16]; uint16 ansi_cp; // GetACP uint16 oem_cp; // GetOEMCP uint32 bid; uint32 pid; uint16 port; uint8 flag; uint8 ver_major; uint8 ver_minor; uint16 ver_build; uint32 ptr_x64; // for x64 addressing uint32 ptr_gmh; // GetModuleHandle uint32 ptr_gpa; // GetProcAddress uint32 ip; char info[size - 51]; }; """ .. raw:: html
.. py:data:: c2struct .. py:function:: typedef_for_enum(enum_class: enum.IntEnum, int_type: str = 'uint32') -> str Return C compatible typedef string for `enum_class`. .. py:data:: BeaconMetadata .. py:data:: CallbackPacket .. py:data:: TaskPacket