beacon-pcap

The command beacon-pcap can be used to parse PCAP files containing Cobalt Strike C2 traffic. The AES key of the beacon session or RSA Private key of the Team Server is required to decrypt the traffic.

Tip

If you enable -v / --verbose logging, and you have the rich module installed. It will automatically use rich to render the console logging which can be easier on the eyes.

The beacon config or payload can be specified using the -b / --beacon flag, if not specified it tries to find one in the PCAP by checking for any staged beacon payloads. It will will always use the first one it finds in the PCAP. If there are multiple staged beacons in the PCAP, you can extract them first using -e / --extract-beacons and specify the one you want to use with --beacon.

To ensure you have all the dependencies for beacon-pcap you can use the following pip command:

$ pip install -e 'dissect.cobaltstrike[pcap]'

Example usage for if you have the RSA private key:

$ beacon-pcap --private-key privkey.der traffic.pcap

This will read traffic.pcap and use the RSA Private key privkey.der for decrypting Beacon Metadata and C2 Packets. As no beacon is specified, it will try to find a staged beacon payload in the PCAP.

By default all the decrypted C2 packets are written as flow.records` records to stdout. The output can be redirected to a file using the -w / --writer argument, example:

$ beacon-pcap -v -p privkey.der -w beacon-c2.records.gz traffic.pcap

This will write the decrypted C2 packets to beacon-c2.records.gz instead of stdout. The file can then be dumped using the tool rdump which is part of the flow.record package and is installed as a dependency.

$ rdump beacon-c2.records.gz

If the command is not in your path, you can also run the command using the following Python module:

$ python -m dissect.cobaltstrike.pcap --help

beacon-pcap - CLI interface

beacon-pcap [-h] [-f FILTER] [-c C2] [-n NSS_KEYLOG_FILE] [-a AES] [-m HMAC] [-k]
            [-p PRIVATE_KEY] [-b BEACON] [-A] [-v] [-e] [-w WRITER]
            PCAP

beacon-pcap positional arguments

  • PCAP - PCAP to parse (default: None)

beacon-pcap options

  • -h, --help - show this help message and exit

  • -f FILTER, --filter FILTER - Wireshark display filter to apply while parsing PCAP (default: None)

  • -c C2, --c2 C2 - Cobalt Strike C2 ip address (default: None)

  • -n NSS_KEYLOG_FILE, --nss-keylog-file NSS_KEYLOG_FILE - NSS keylog file to use for decrypting SSL traffic (default: None)

  • -a AES, --aes AES - AES key to use (in hex) (default: None)

  • -m HMAC, --hmac HMAC - HMAC key to use (in hex) (default: None)

  • -k, --no-hmac-verify - Disable HMAC signature verification

  • -p PRIVATE_KEY, --private-key PRIVATE_KEY - Path to RSA private key (default: None)

  • -b BEACON, --beacon BEACON - Use the BeaconConfig from this Beacon (default: None)

  • -A, --all-metadata - Dump all metadata and not only unique

  • -v, --verbose - Increase verbosity (default: 0)

  • -e, --extract-beacons - Extract found beacons in pcap

  • -w WRITER, --writer WRITER - Record writer (default: None)