Skip to content

Detecting Cobalt Strike Team Servers on targets through traffic telemetry.

License

Notifications You must be signed in to change notification settings

eremit4/cs-discovery

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Cobalt Strike Discovery

Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. This tool aims to detect Cobalt Strike servers from traffic telemetry, replacing the much-used endpoint telemetry.
The construction of this project was inspired on the reports How I Meet Your Beacon - Cobalt Strike by MDSec, and How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect by Palo Alto Unit 42.

👨‍💻 Installing

Clone the repository:

git clone https://github.com/eremit4/cs-discovery.git

Optional - Create a virtualenv before install the dependencies

Note: The use of virtual environments is optional, but recommended. In this way, we avoid possible conflicts in different versions of the project's dependencies. Learn how to install and use virtualenv according to your OS here

Install the dependencies:

pip install -r requirements.txt

🥷️ Using

Discovering the project capabilities:

python cs_discovery.py --help

Running against a single target to detect Team Servers using the encoded byte:

python cs_discovery.py --url <target>

Running against multiple targets to detect Team Servers using the encoded byte:

python cs_discovery.py --file <filepath>

Running against a single target to detect Team Servers using byte encoded and other optional method:

python cs_discovery.py --url <target> --<optional flag>

🔮️ Demo

asciicast

📝 License

This project is under the MIT License.