dissect.cobaltstrike.client
Beacon client that can actively connect to a Cobalt Strike Team Server.
Danger
The client actively connects to a Cobalt Strike Team Server, caution should be taken when using this. A default client will perform check-ins and only log the tasks it receives unless implemented otherwise.
Module Contents
Classes
A Beacon Client that can communicate with a Cobalt Strike Team Server over HTTP. |
Functions
|
Returns a random Windows like computer name, if username is set it can also return |
|
Returns a random username in the form of |
|
Return a random Windows version in the form of the tuple (major, minor, build). |
|
Return a random process name. |
|
Return a random internal RFC1918 IP address. |
|
|
|
|
|
This will output |
|
This will output |
|
Return the default ArgumentParser for the beacon client. |
|
Helper function to parse commandline options and return a typle of (args, options). |
|
Attributes
- dissect.cobaltstrike.client.FIRST_NAMES = ['Michael', 'James', 'John', 'Robert', 'David', 'William', 'Mary', 'Christopher', 'Joseph',...[source]
- dissect.cobaltstrike.client.LAST_NAMES = ['SMITH', 'JOHNSON', 'WILLIAMS', 'BROWN', 'JONES', 'GARCIA', 'RODRIGUEZ', 'MILLER', 'MARTINEZ',...[source]
- dissect.cobaltstrike.client.PROCESS_NAMES = ['rundll32.exe', 'dllhost.exe', 'gpupdate.exe', 'svchost.exe', 'mstsc.exe', 'WerFault.exe',...[source]
- dissect.cobaltstrike.client.random_computer_name(username: Optional[str] = None) str[source]
Returns a random Windows like computer name, if username is set it can also return
<USERNAME>-PC
- dissect.cobaltstrike.client.random_username_name() str[source]
Returns a random username in the form of
john.smithorJohn Smith.
- dissect.cobaltstrike.client.random_windows_ver() Tuple[int, int, int][source]
Return a random Windows version in the form of the tuple (major, minor, build).
- dissect.cobaltstrike.client.random_internal_ip() ipaddress.IPv4Address[source]
Return a random internal RFC1918 IP address.
- dissect.cobaltstrike.client.CallbackError(code: int, n1: int, n2: int, message: str) Tuple[int, bytes][source]
- dissect.cobaltstrike.client.CallbackDebugMessage(message: str) Tuple[int, bytes][source]
This will output
'[-] DEBUG: <message>'to the Team Server console.
- dissect.cobaltstrike.client.CallbackOutputMessage(message: str) Tuple[int, bytes][source]
This will output
'[+] received output: <message>'to the Team Server console.
- class dissect.cobaltstrike.client.HttpBeaconClient[source]
A Beacon Client that can communicate with a Cobalt Strike Team Server over HTTP.
- run(bconfig: dissect.cobaltstrike.c2.BeaconConfig, dry_run=False, scheme=None, domain=None, port=None, beacon_id=None, pid=None, computer=None, user=None, process=None, internal_ip=None, arch=None, barch=None, ansi_cp=58372, oem_cp=46337, high_integrity=False, sleeptime=None, jitter=None, user_agent=None, verbose=None, silent=None, writer=None)[source]
Run the Beacon Client.
- _initial_get_request() dissect.cobaltstrike.c2.HttpRequest[source]
Return the initial HttpRequest object for retrieving tasks from the Team Server.
- _initial_post_request() dissect.cobaltstrike.c2.HttpRequest[source]
Return the initial HttpRequest object for sending callback data to the Team Server.
- register_task(command_id: Union[None, int], func)[source]
Register a task handler for a given command ID.
- Parameters
command_id – The command ID to register the handler for.
Noneis handler for empty tasks.-1is a catch-all handler.func – The function to call when a task with the given command ID is received.
- handle(command: Union[None, int, dissect.cobaltstrike.c2.BeaconCommand])[source]
decorator to register a handler for command, if
Noneit registers a handler for empty tasks
- dissect.cobaltstrike.client.build_parser() argparse.ArgumentParser[source]
Return the default ArgumentParser for the beacon client.
- dissect.cobaltstrike.client.parse_commandline_options(parser=None, defaults=None) Tuple[argparse.Namespace, Dict[str, Any]][source]
Helper function to parse commandline options and return a typle of (args, options).
This method is useful for creating default commandline options for a Beacon client. The returned options can be passed to
HttpBeaconClient.run()as follows:from dissect.cobaltstrike.client import HttpBeaconClient, parse_commandline_options beacon = HttpBeaconClient() args, options = parse_commandline_options(defaults={ "beacon_id": 1234, "computer": "dissect", "user": "cobaltstrike", "process": "calc.exe", }) beacon.run(**options)
If parser is not defined it will use the default argparse parser created by
build_parser(). The defaults dictionary can be used to override the default argparse settings.- Parameters
parser – an instance of
argparse.ArgumentParser, if None it will use the parser created byclient.build_parser().defaults – A dictionary to override the default settings for the argument parser. Unknown keys will be ignored.
- Returns
Tuple of (args, options) where args is the parsed arguments from the commandline and options is a dictionary of options that can be passed to
HttpBeaconClient.run().