Scan files or process memory for Cobalt Strike beacons and parse their configuration.
CobaltStrikeScan scans Windows process memory for evidence of DLL injection (classic or reflective injection) and performs a YARA scan on the target process' memory for Cobalt Strike v3 and v4 beacon signatures.
Alternatively, CobaltStrikeScan can perform the same YARA scan on a file supplied by absolute or relative path as a command-line argument.
If a Cobalt Strike beacon is detected in the file or process, the beacon's configuration will be parsed and displayed to the console.
This project is inspired by the following research / articles:
- SpecterOps - Defenders Think in Graphs Too
- JPCert - Volatility Plugin for Detecting Cobalt Strike
- SentinelLabs - The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration
- 64-bit Windows OS
- .NET Framework 4.6
- Administrator or SeDebugPrivilege is required to scan process memory for injected threads
-d, --dump-processes Dump process memory to file when injected threads are detected
-f, --scan-file Scan a file/process dump for CobaltStrike beacons
-i, --injected-threads Scan running (64-bit) processes for injected threads (won't scan for CobaltStrike beacons)
-p, --scan-processes Scan running processes for injected threads and CobaltStrike beacons
-v, --verbose Write verbose output (display detailed information for injected threads)
-h, --help Display Help Message
--help Display this help screen.
--version Display version information.