{"id":28486093,"url":"https://github.com/fox-it/dissect.cobaltstrike","last_synced_at":"2025-10-08T22:43:21.419Z","repository":{"id":37745241,"uuid":"474029374","full_name":"fox-it/dissect.cobaltstrike","owner":"fox-it","description":"Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles","archived":false,"fork":false,"pushed_at":"2025-06-23T11:07:05.000Z","size":1804,"stargazers_count":175,"open_issues_count":0,"forks_count":24,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-09-10T09:45:20.581Z","etag":null,"topics":["beacon","cobaltstrike","dissect","malleable-c2-profile","parser","pcap","pypy3","python","python3"],"latest_commit_sha":null,"homepage":"https://dissect-cobaltstrike.readthedocs.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fox-it.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-03-25T13:54:27.000Z","updated_at":"2025-08-24T15:45:23.000Z","dependencies_parsed_at":"2025-06-22T13:31:37.383Z","dependency_job_id":"ad0dcaad-d17b-4d96-92c7-da6dfa12e133","html_url":"https://github.com/fox-it/dissect.cobaltstrike","commit_stats":{"total_commits":44,"total_committers":1,"mean_commits":44.0,"dds":0.0,"last_synced_commit":"b74d937c9daaf440d0f470d9c19c97b9b29e1394"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/fox-it/dissect.cobaltstrike","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fdissect.cobaltstrike","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fdissect.cobaltstrike/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fdissect.cobaltstrike/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fdissect.cobaltstrike/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fox-it","download_url":"https://codeload.github.com/fox-it/dissect.cobaltstrike/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fox-it%2Fdissect.cobaltstrike/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279000780,"owners_count":26082851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-08T02:00:06.501Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beacon","cobaltstrike","dissect","malleable-c2-profile","parser","pcap","pypy3","python","python3"],"created_at":"2025-06-08T01:10:14.017Z","updated_at":"2025-10-08T22:43:21.414Z","avatar_url":"https://github.com/fox-it.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Dissecting Cobalt Strike using Python\n=====================================\n\n.. image:: https://github.com/fox-it/dissect.cobaltstrike/workflows/Tests/badge.svg\n :target: https://github.com/fox-it/dissect.cobaltstrike/actions\n :alt: GitHub Actions status\n.. image:: https://readthedocs.org/projects/dissect-cobaltstrike/badge/?version=latest\n :target: https://dissect-cobaltstrike.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n.. image:: https://img.shields.io/pypi/v/dissect.cobaltstrike.svg\n :target: https://pypi.python.org/pypi/dissect.cobaltstrike\n\n**dissect.cobaltstrike** is a Python library for dissecting and parsing Cobalt Strike related data such as beacon payloads and Malleable C2 Profiles.\n\nInstallation\n------------\n\nThe library is available on `PyPI \u003chttps://pypi.org/project/dissect.cobaltstrike/\u003e`_. Use ``pip`` to install it::\n\n $ pip install dissect.cobaltstrike\n\nOr install using the ``full`` extra to automatically install dependencies for C2 and PCAP support::\n\n $ pip install 'dissect.cobaltstrike[full]'\n\nIf you want to install the latest pre-release version, use the ``--pre`` flag::\n\n $ pip install --pre dissect.cobaltstrike\n\n**dissect.cobaltstrike** requires Python 3.9 or later.\n\nDocumentation\n-------------\n\nThe project documentation can be found here: https://dissect-cobaltstrike.readthedocs.io\n\nBasic Usage\n-----------\n\nParse a Cobalt Strike beacon and extract some config settings\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n.. code-block:: python\n\n \u003e\u003e\u003e from dissect.cobaltstrike.beacon import BeaconConfig\n\n \u003e\u003e\u003e bconfig = BeaconConfig.from_path(\"beacon.bin\")\n\n \u003e\u003e\u003e hex(bconfig.watermark)\n '0x5109bf6d'\n \u003e\u003e\u003e bconfig.protocol\n 'https'\n \u003e\u003e\u003e bconfig.version\n \u003cBeaconVersion 'Cobalt Strike 4.2 (Nov 06, 2020)', tuple=(4, 2), date=2020-11-06\u003e\n\n \u003e\u003e\u003e bconfig.settings\n mappingproxy({'SETTING_PROTOCOL': 8,\n 'SETTING_PORT': 443,\n 'SETTING_SLEEPTIME': 5000,\n 'SETTING_MAXGET': 1048576,\n 'SETTING_JITTER': 0, ...\n\n \u003e\u003e\u003e bconfig.settings[\"SETTING_C2_REQUEST\"]\n [('_HEADER', b'Connection: close'),\n ('_HEADER', b'Accept-Language: en-US'),\n ('BUILD', 'metadata'),\n ('MASK', True),\n ('BASE64', True),\n ('PREPEND', b'wordpress_ed1f617bbd6c004cc09e046f3c1b7148='),\n ('HEADER', b'Cookie')]\n\nParse a Malleable C2 Profile and read some configuration settings\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n.. code-block:: python\n\n \u003e\u003e\u003e from dissect.cobaltstrike.c2profile import C2Profile\n \u003e\u003e\u003e profile = C2Profile.from_path(\"amazon.profile\")\n \u003e\u003e\u003e profile.as_dict()\n {'sleeptime': ['5000'],\n 'jitter': ['0'],\n 'maxdns': ['255'],\n 'useragent': ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'],\n 'http-get.uri': ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'],\n 'http-get.client.header': [('Accept', '*/*'), ('Host', 'www.amazon.com')],\n ...\n }\n\n \u003e\u003e\u003e profile.properties[\"useragent\"]\n ['Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko']\n\n \u003e\u003e\u003e profile.properties[\"http-get.uri\"]\n ['/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books']\n\nConnect to Team Server as a Beacon Client\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nSee also `A Minimal Beacon Client \u003chttps://dissect-cobaltstrike.readthedocs.io/en/latest/tutorials/minimal_beacon_client.html\u003e`_ tutorial in the documentation.\n\n.. image:: https://raw.githubusercontent.com/fox-it/dissect.cobaltstrike/main/docs/images/beacon-client.png\n\n\nParse and decrypt a PCAP containing Cobalt Strike traffic\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nSee also the `Decrypt Cobalt Strike PCAPs \u003chttps://dissect-cobaltstrike.readthedocs.io/en/latest/tutorials/decrypt_cobaltstrike_pcaps.html\u003e`_ tutorial in the documentation.\n\n.. code-block:: shell\n\n $ beacon-pcap --extract-beacons 2021-06-15-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike.pcap\n [+] Found \u003cBeaconConfig ['\u003credacted\u003e']\u003e at b'/ZsDK', extracted beacon payload to 'beacon-ZsDK.bin'\n [+] Found \u003cBeaconConfig ['\u003credacted\u003e']\u003e at b'/8mJm', extracted beacon payload to 'beacon-8mJm.bin'\n\n $ beacon-pcap -p key.pem 2021-06-15-Hancitor-with-Ficker-Stealer-and-Cobalt-Strike.pcap --beacon beacon-8mJm.bin\n \u003cBeacon/BeaconMetadata packet_ts=2021-06-15 15:08:55.172675 src_ip=net.ipaddress('10.0.0.134') src_port=52886 dst_ip=net.ipaddress('\u003credacted\u003e') dst_port=443 raw_http=b'GET /activity HTTP/1.1\\r\\nAccept: */*\\r\\nCookie: kR/OTFMhCYQpv09cXl2R7qEespVUfQ/8YahAbs1b+rEESbSzcAc44R9Klf4zH4GGYxT4dErzNQWimmMW5wQVQSEGFZ36mWc/beoUTQUGVUxcZWXl0t8WBO12qC6vsmRSV5uQO+qxz0Lbz1P/wOkWwbNM0XF9LhVjRrGYSR0Jlrc=\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)\\r\\nHost: \u003credacted\u003e:443\\r\\nConnection: Keep-Alive\\r\\nCache-Control: no-cache\\r\\n\\r\\n' magic=48879 size=92 aes_rand=b'\\xf9dA\\xc8\\x8b\\x07\\xe1:\\xfa\\np\\xbc{`m\\xe0' ansi_cp=58372 oem_cp=46337 bid=693615746 pid=6396 port=0 flag=4 ver_major=10 ver_minor=0 ver_build=19042 ptr_x64=0 ptr_gmh=1972243040 ptr_gpa=1972237648 ip=net.ipaddress('\u003credacted\u003e') info=b'DESKTOP-X9JH6AW\\ttabitha.gomez\\tsvchost.exe'\u003e\n \u003cBeacon/TaskPacket packet_ts=2021-06-15 15:09:56.371968 src_ip=net.ipaddress('\u003credacted\u003e') src_port=443 dst_ip=net.ipaddress('10.0.0.134') dst_port=52894 raw_http=b'HTTP/1.1 200 OK\\r\\nDate: Tue, 15 Jun 2021 15:09:55 GMT\\r\\nContent-Type: application/octet-stream\\r\\nContent-Length: 48\\r\\n\\r\\nP\\xc1\\xf1\\xa0{3 \\xa8\\x01}\\xfe\\xbcl\\x8e\\xa2\\x81\\xd7A2\\xa3;\\xe0\\x91\\xf5\\x90\\xdd]\\xc5\\x88`\\xa2\\x88\\x93\\x14-\\xb4\\xbb\\x96\\xf1\\x1c\\xd7\\r\\xa60\\xfe\\xc5\\x9e\\xd6' epoch=2021-06-15 15:09:55 total_size=16 command='COMMAND_SLEEP' size=8 data=b'\\x00\\x00\\x00d\\x00\\x00\\x00Z'\u003e\n\nLicense\n-------\n\n**dissect.cobaltstrike** is developed and distributed under the MIT license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Fdissect.cobaltstrike","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffox-it%2Fdissect.cobaltstrike","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffox-it%2Fdissect.cobaltstrike/lists"}