Skip to content

v1.2.1

Latest
Latest

Choose a tag to compare

View all tags
@yunzheng yunzheng released this 25 Mar 14:18
· 2 commits to main since this release
v1.2.1
ef91243
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

This v1.2.1 release mainly brings support for dumping beacons protected with guardrails. It can automatically deduce the environmental key and decrypt the protected beacon config. Example:

$ beacon-dump -v 124552cf674b362e0c916ab79b9e7a56.bin
2025-03-25 15:17:14,318 INFO root: Processing: '124552cf674b362e0c916ab79b9e7a56.bin'
2025-03-25 15:17:14,869 INFO dissect.cobaltstrike.guardrails: Found guardrail config at offset: 320138 in <_io.BufferedReader name='124552cf674b362e0c916ab79b9e7a56.bin'>
2025-03-25 15:17:14,893 INFO dissect.cobaltstrike.guardrails: Found guardrail payload xorkey: b'desktop-r4vgq8o'
...
--------------------------------------------------
pe_export_stamp = 1720799264, 0x66915020, Fri Jul 12 17:47:44 2024 - Cobalt Strike 4.10 (Jul 16, 2024)
pe_compile_stamp = 1720799264, 0x66915020, Fri Jul 12 17:47:44 2024
max_setting_enum = 78 - BeaconSetting.SETTING_BEACON_GATE
beacon_version = Cobalt Strike 4.10 (Jul 16, 2024)
guardrail payload xor key = b'desktop-r4vgq8o'
guardrail options = [<GuardOption.GUARD_COMPUTER: 6>, <GuardOption.GUARD_PAYLOAD_CHECKSUM: 9>]

Also, some small quality of life changes were made to beacon-dump:

  • You can now specify more than one beacon file to dump, useful for shell globbing, e.g.: beacon-dump -v beacons/*.bin
  • It will now try all single byte XOR keys by default, this deprecates the --all flag and introduces --default-xor-keys-only.

Furthermore, the beacon version identification support is now up to Cobalt Strike v4.10.1 and the identification table can now also be found in the documentation for reference.

What's Changed

  • Fix BeaconSetting names with unknown values by @yunzheng in #64
  • Speed up beacon file reading from zip files in tests by @yunzheng in #65
  • Add version detection for Cobalt Strike 4.9 and 4.10 by @yunzheng in #66
  • Output bof_reuse_memory and bof_allocator in c2profile by @yunzheng in #67
  • Add support for SETTING_DATA_STORE_SIZE and SETTING_BEACON_GATE options by @yunzheng in #68
  • Update pip install docs with quoting when installing extras by @yunzheng in #69
  • More pip install quotations in the docs by @yunzheng in #70
  • Add support for SETTING_HTTP_DATA_REQUIRED beacon setting by @yunzheng in #71
  • Add support for beacon guardrails by @yunzheng in #73
  • Fix failing readthedocs builds by @yunzheng in #74
  • Add guardrails definitions to the docs by @yunzheng in #75
  • Add Cobalt Strike 4.10.1 version detection by @yunzheng in #76
  • Add beacon version table to documentation by @yunzheng in #77

Full Changelog: v1.2.0...v1.2.1

Contributors

yunzheng
Assets 2
Loading
0 Join discussion