Didier Stevens

Cobalt Strike Tools

This is a collection of Cobalt Strike tools for blue teams.

All these tools can also be found on GitHub and in my DidierStevensSuite.zip file.

Remark that these tools not only have an help option (-h), but also come with an embedded man page: -m.


This is a tool to analyze Cobalt Strike beacons. If you get it from my GitHub repository, make sure to include file 1768.json.

1768_v0_0_16.zip (http)
MD5: E72E66BE5A66DC2C6E1806DE82DF9B39
SHA256: 008E15C617EE94D849A3325643497D216E559609602E97CF2EE41968CCA5D096


This is a tool to analyze a process memory dump of Cobalt Strike beacons that use a sleep mask to xor-encode their writable process memory while sleeping.

cs-analyze-processdump_V0_0_3.zip (https)
MD5: 46C232F594CF67272A915985AFDFE839
SHA256: 84EBC79B9CC5764E7D8C85DCBADEE49F09ABF6F19962A0D9C505703F82675B23


This is a tool to decrypt the “checkin cookie” (metadata) of Cobalt Strike beacons. It requires file 1768.json.

cs-decrypt-metadata_V0_0_4.zip (https)
MD5: 50C8AEFA1A1A507012BE72C71C449818
SHA256: CAFCCE9A8897C257AE39259D3F444E0F40473BF0D9590DC1A035316EBDDBBC84


This is a tool to extract the network traffic encryption keys from process memory dumps of beacons.

cs-extract-key_V0_0_4.zip (https)
MD5: 451D73C0963C91E11AE043AD82A96FCD
SHA256: 5D21C796CA2F7D115D291E2C4DAE713EF87601B663FCF7EFF06D91B447A52528


This is a tool to decrypt and parse the network traffic of beacons.

cs-parse-traffic_V0_0_5.zip (http)
MD5: CFF6D97E816B23065F051D91B0F101A6
SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302

Blog at WordPress.com.