Didier Stevens

This is a collection of Cobalt Strike tools for blue teams.

All these tools can also be found on GitHub and in my DidierStevensSuite.zip file.

Remark that these tools not only have an help option (-h), but also come with an embedded man page: -m.

1768.py

This is a tool to analyze Cobalt Strike beacons. If you get it from my GitHub repository, make sure to include file 1768.json.

1768_v0_0_23.zip (http)
MD5: 04641D1CCDABDD16FB303B89235AAC53
SHA256: 708D849F11D6614B55AAF0154445CEEC12AC7ADBE02260D8FF567FC4A02C193E

cs-analyze-processdump.py

This is a tool to analyze a process memory dump of Cobalt Strike beacons that use a sleep mask to xor-encode their writable process memory while sleeping.

cs-analyze-processdump_V0_0_3.zip (https)
MD5: 46C232F594CF67272A915985AFDFE839
SHA256: 84EBC79B9CC5764E7D8C85DCBADEE49F09ABF6F19962A0D9C505703F82675B23

cs-decrypt-metadata.py

This is a tool to decrypt the “checkin cookie” (metadata) of Cobalt Strike beacons. It requires file 1768.json.

cs-decrypt-metadata_V0_0_5.zip (http)
MD5: 3C37C994709AAE7F56FEC8C8A35F6A61
SHA256: A47616A8C7A484A70D011EA4B8189097CF6FD61358DAEA883760C208BEDE2075

cs-extract-key.py

This is a tool to extract the network traffic encryption keys from process memory dumps of beacons.

cs-extract-key_V0_0_4.zip (https)
MD5: 451D73C0963C91E11AE043AD82A96FCD
SHA256: 5D21C796CA2F7D115D291E2C4DAE713EF87601B663FCF7EFF06D91B447A52528

cs-parse-traffic.py

This is a tool to decrypt and parse the network traffic of beacons.

cs-parse-traffic_V0_0_5.zip (http)
MD5: CFF6D97E816B23065F051D91B0F101A6
SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302