Didier Stevens

This is a collection of Cobalt Strike tools for blue teams.

All these tools can also be found on GitHub and in my DidierStevensSuite.zip file.

Remark that these tools not only have an help option (-h), but also come with an embedded man page: -m.

1768.py

This is a tool to analyze Cobalt Strike beacons. If you get it from my GitHub repository, make sure to include file 1768.json.

1768_v0_0_21.zip (http)
MD5: 6FBDCC5F066519C3FD846D33ABE3287A
SHA256: CBFCC5DA80634DF29DBABE06F3D59D3A5CA2FC1968CF5E0213F6A6751B1A079B

cs-analyze-processdump.py

This is a tool to analyze a process memory dump of Cobalt Strike beacons that use a sleep mask to xor-encode their writable process memory while sleeping.

cs-analyze-processdump_V0_0_3.zip (https)
MD5: 46C232F594CF67272A915985AFDFE839
SHA256: 84EBC79B9CC5764E7D8C85DCBADEE49F09ABF6F19962A0D9C505703F82675B23

cs-decrypt-metadata.py

This is a tool to decrypt the “checkin cookie” (metadata) of Cobalt Strike beacons. It requires file 1768.json.

cs-decrypt-metadata_V0_0_4.zip (https)
MD5: 50C8AEFA1A1A507012BE72C71C449818
SHA256: CAFCCE9A8897C257AE39259D3F444E0F40473BF0D9590DC1A035316EBDDBBC84

cs-extract-key.py

This is a tool to extract the network traffic encryption keys from process memory dumps of beacons.

cs-extract-key_V0_0_4.zip (https)
MD5: 451D73C0963C91E11AE043AD82A96FCD
SHA256: 5D21C796CA2F7D115D291E2C4DAE713EF87601B663FCF7EFF06D91B447A52528

cs-parse-traffic.py

This is a tool to decrypt and parse the network traffic of beacons.

cs-parse-traffic_V0_0_5.zip (http)
MD5: CFF6D97E816B23065F051D91B0F101A6
SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302