{"id":17998,"date":"2021-09-20T09:00:00","date_gmt":"2021-09-20T09:00:00","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=17998"},"modified":"2021-09-19T03:25:43","modified_gmt":"2021-09-19T03:25:43","slug":"cobaltstrikeparser","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/","title":{"rendered":"CobaltStrikeParser : Python parser for CobaltStrike Beacon&#8217;s configuration"},"content":{"rendered":"\n<p><strong>CobaltStrikeParser<\/strong> is a Python parser for CobaltStrike Beacon&#8217;s configuration.<\/p>\n\n\n\n<p>Use&nbsp;<code><strong>parse_beacon_config.py<\/strong><\/code>&nbsp;for stageless beacons, memory dumps or C2 urls with metasploit compatibility mode (default true).<br>Many stageless beacons are PEs where the beacon code itself is stored in the&nbsp;<code><strong>.data<\/strong><\/code>&nbsp;section and xored with 4-byte key.<br>The script tries to find the xor key and data heuristically, decrypt the data and parse the configuration from it.<\/p>\n\n\n\n<p>This is designed so it can be used as a library too.<\/p>\n\n\n\n<p>The repo now also includes a small commuincation module (comm.py) that can help with communcating to a C2 server as a beacon.<\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Usage<\/strong><\/p>\n\n\n\n<p class=\"has-vivid-green-cyan-color has-black-background-color has-text-color has-background\"><strong>usage: parse_beacon_config.py [-h] [&#8211;json] [&#8211;quiet] [&#8211;version VERSION] beacon<br>Parses CobaltStrike Beacon&#8217;s configuration from PE, memory dump or URL.<br>positional arguments:<br>beacon This can be a file path or a url (if started with http\/s)<br>optional arguments:<br>-h, &#8211;help show this help message and exit<br>&#8211;json Print as json<br>&#8211;quiet Do not print missing or empty settings<br>&#8211;version VERSION Try as specific cobalt version (3 or 4). If not specified, tries both.<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center has-vivid-green-cyan-background-color has-background\"><strong>Extra<\/strong><\/p>\n\n\n\n<p>To use the communication poc copy it to the main folder and run it from there. For installing the M2Crypto library (a requirement for the poc) on Windows, it&#8217;s easiest with installers found online, and not through pip.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-outline is-style-outline--1\"><a class=\"wp-block-button__link has-vivid-cyan-blue-background-color has-background\" href=\"https:\/\/github.com\/Sentinel-One\/CobaltStrikeParser\"><strong>Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>CobaltStrikeParser is a Python parser for CobaltStrike Beacon&#8217;s configuration. Use&nbsp;parse_beacon_config.py&nbsp;for stageless beacons, memory dumps or C2 urls with metasploit compatibility mode (default true).Many stageless beacons are PEs where the beacon code itself is stored in the&nbsp;.data&nbsp;section and xored with 4-byte key.The script tries to find the xor key and data heuristically, decrypt the data and [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":18007,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[4111,4109,4112,4110],"class_list":["post-17998","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-cobaltstrike-beacons","tag-cobaltstrikeparser","tag-configuration","tag-python-parser"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CobaltStrikeParser : Python parser for CobaltStrike Beacon&#039;s configuration<\/title>\n<meta name=\"description\" content=\"CobaltStrikeParser is a Python parser for CobaltStrike Beacon&#039;s configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CobaltStrikeParser : Python parser for CobaltStrike Beacon&#039;s configuration\" \/>\n<meta property=\"og:description\" content=\"CobaltStrikeParser is a Python parser for CobaltStrike Beacon&#039;s configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-20T09:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"CobaltStrikeParser : Python parser for CobaltStrike Beacon&#8217;s configuration\",\"datePublished\":\"2021-09-20T09:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\"},\"wordCount\":225,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\",\"keywords\":[\"CobaltStrike Beacon&#039;s\",\"CobaltStrikeParser\",\"configuration\",\"Python parser\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\",\"name\":\"CobaltStrikeParser : Python parser for CobaltStrike Beacon's configuration\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\",\"datePublished\":\"2021-09-20T09:00:00+00:00\",\"description\":\"CobaltStrikeParser is a Python parser for CobaltStrike Beacon's configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png\",\"width\":\"1194\",\"height\":\"380\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CobaltStrikeParser : Python parser for CobaltStrike Beacon's configuration","description":"CobaltStrikeParser is a Python parser for CobaltStrike Beacon's configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/","og_locale":"en_US","og_type":"article","og_title":"CobaltStrikeParser : Python parser for CobaltStrike Beacon's configuration","og_description":"CobaltStrikeParser is a Python parser for CobaltStrike Beacon's configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.","og_url":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-09-20T09:00:00+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"CobaltStrikeParser : Python parser for CobaltStrike Beacon&#8217;s configuration","datePublished":"2021-09-20T09:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/"},"wordCount":225,"commentCount":0,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","keywords":["CobaltStrike Beacon&#039;s","CobaltStrikeParser","configuration","Python parser"],"articleSection":["Kali Linux"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/","url":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/","name":"CobaltStrikeParser : Python parser for CobaltStrike Beacon's configuration","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","datePublished":"2021-09-20T09:00:00+00:00","description":"CobaltStrikeParser is a Python parser for CobaltStrike Beacon's configuration. Use\u00a0parse_beacon_config.py\u00a0for stageless beacons, memory dumps.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/cobaltstrikeparser\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","width":"1194","height":"380"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-mWE_rLyLFXg\/YTLr_3v4jTI\/AAAAAAAAKsA\/R_XknrGoKSk-Mqo-PtLct_yyeu5VD6vVgCLcBGAsYHQ\/s1194\/CobaltStrike%2B%25281%2529.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":11733,"url":"https:\/\/kalilinuxtutorials.com\/cobalt-strike-scan\/","url_meta":{"origin":17998,"position":0},"title":"Cobalt Strike Scan : Scan Files Or Process Memory For CobaltStrike Beacons &#038; Parse Their Configuration","author":"R K","date":"November 2, 2020","format":false,"excerpt":"Scan files or process memory for Cobalt Strike beacons and parse their configuration. CobaltStrikeScan scans Windows process memory for evidence of DLL injection (classic or reflective injection) and performs a YARA scan on the target process' memory for Cobalt Strike v3 and v4 beacon signatures. Alternatively, CobaltStrikeScan can perform the\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":17727,"url":"https:\/\/kalilinuxtutorials.com\/beaconeye\/","url_meta":{"origin":17998,"position":1},"title":"BeaconEye : Hunts Out CobaltStrike Beacons And Logs Operator Command Output","author":"R K","date":"September 13, 2021","format":false,"excerpt":"BeaconEye scans running processes for active Cobalt Strike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. How It Works BeaconEye will scan live processes or MiniDump files for suspected CobaltStrike beacons. In live process mode, BeaconEye optionally attaches itself as a\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-ogMGA2KGJas\/YS-2h1Q5oiI\/AAAAAAAAKnc\/nzTADsXOz043R7pKqKt5LJv5VIbrEMMfQCLcBGAsYHQ\/s728\/3064210%2B%25281%2529.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/1.bp.blogspot.com\/-ogMGA2KGJas\/YS-2h1Q5oiI\/AAAAAAAAKnc\/nzTADsXOz043R7pKqKt5LJv5VIbrEMMfQCLcBGAsYHQ\/s728\/3064210%2B%25281%2529.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/1.bp.blogspot.com\/-ogMGA2KGJas\/YS-2h1Q5oiI\/AAAAAAAAKnc\/nzTADsXOz043R7pKqKt5LJv5VIbrEMMfQCLcBGAsYHQ\/s728\/3064210%2B%25281%2529.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/1.bp.blogspot.com\/-ogMGA2KGJas\/YS-2h1Q5oiI\/AAAAAAAAKnc\/nzTADsXOz043R7pKqKt5LJv5VIbrEMMfQCLcBGAsYHQ\/s728\/3064210%2B%25281%2529.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":13818,"url":"https:\/\/kalilinuxtutorials.com\/aggrokatz\/","url_meta":{"origin":17998,"position":2},"title":"Aggrokatz : An Aggressor Plugin Extension For Cobalt Strike Which Enables Pypykatz To Interface With The Beacons Remotely","author":"R K","date":"June 27, 2021","format":false,"excerpt":"aggrokatz\u00a0is an Aggressor plugin extension for\u00a0CobaltStrike\u00a0which enables\u00a0pypykatz\u00a0to interface with the beacons remotely.The current version of\u00a0aggrokatz\u00a0allows\u00a0pypykatz\u00a0to parse LSASS dump files and Registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon (Cobalt Strike is already there anyhow). In\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":31807,"url":"https:\/\/kalilinuxtutorials.com\/graphstrike\/","url_meta":{"origin":17998,"position":3},"title":"GraphStrike &#8211; Empowering Cobalt Strike With Microsoft Graph API Integration","author":"Varshini","date":"January 24, 2024","format":false,"excerpt":"GraphStrike is a suite of tools that enables Cobalt Strike's HTTPS Beacon to use\u00a0Microsoft Graph API\u00a0for C2 communications. All Beacon traffic will be transmitted via two files created in the attacker's SharePoint site, and all communications from Beacon will route Why? Threat intelligence has been released regarding several different APTs\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjp-hqfgkBA3guDuA3wJaFK50ANB3vvyWGLiRyfBfA56PdIe9Q5Uli_zy0jt006LXqazdlkx-d3WPK5Xit8XlG9V25wjs8MVaCvvGf3BSzT1sOcGFyPHBUmQeasb5kDhAnZ28nwzmlt15GAFXDXGk1ujEtJM4AdBMn4l2B8efmkfzPnyfVAE881nsAD5pqO\/s16000\/Untitled%20design%20%289%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":32034,"url":"https:\/\/kalilinuxtutorials.com\/cobalt-strike-profiles-for-edr-evasion-sourcepoint-is-a-c2-profile-generator-for-cobalt-strike\/","url_meta":{"origin":17998,"position":4},"title":"Cobalt-Strike-Profiles-For-EDR-Evasion + SourcePoint Is A C2 Profile Generator For Cobalt Strike","author":"Varshini","date":"February 12, 2024","format":false,"excerpt":"Bypassing Memory Scanners The recent versions of Cobalt Strike have made it so easy for the operators to bypass memory scanners like BeaconEye and Hunt-Sleeping-Beacons. The following option will make this bypass possible: set sleep_mask \"true\"; By enabling this option, Cobalt Strike will XOR the heap and every image section\u2026","rel":"","context":"In &quot;Cyber security&quot;","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgh2GSCVWG2-De-3NWXmi-AtPzXNk4SbiUCz52rg_X1MIsxFqKIE9S_AgRgkv8D8FpCwoyTISOLhXGs2zMJ15icuW36E_e3oju1guVsSMt5jBaDw4bSHklGtqsUg1XdSYvUwJca-jP7UnbID-piqXUjW9_YN_WCVPfx_ilS_x2LA1YN73O0sppr-9Y625JF\/s16000\/Untitled%20design%20%2815%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":24521,"url":"https:\/\/kalilinuxtutorials.com\/cobaltbus\/","url_meta":{"origin":17998,"position":5},"title":"CobaltBus : Cobalt Strike External C2 Integration With Azure Servicebus, C2 Traffic Via Azure Servicebus","author":"R K","date":"May 23, 2022","format":false,"excerpt":"CobaltBus is a Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus Setup Create an Azure Service BusCreate a Shared access policy (Connection string) that can only Send and ListenEdit the static connectionString variable in Beacon C# projects to match the \"Primary Connection String\" value for\u2026","rel":"","context":"In &quot;Kali Linux&quot;","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyICNLGVeLM-mdMiosXqnRs5jUvmH3V40MH-XvJiUXlI1BIOewC23bWYp15xOC8IfPtkNmN0nR7Wi_0vJRipIH5_roKsWklmuWTtjFd_F33PqVt1Jq9Tqc2mlgArBYcPol-m4GoXCXdVG5d04Cg8ia2OmAEzdLqmCHXm_xO9KOVQZFYo-harhmAzZr\/s728\/download%20%281%29.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyICNLGVeLM-mdMiosXqnRs5jUvmH3V40MH-XvJiUXlI1BIOewC23bWYp15xOC8IfPtkNmN0nR7Wi_0vJRipIH5_roKsWklmuWTtjFd_F33PqVt1Jq9Tqc2mlgArBYcPol-m4GoXCXdVG5d04Cg8ia2OmAEzdLqmCHXm_xO9KOVQZFYo-harhmAzZr\/s728\/download%20%281%29.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyICNLGVeLM-mdMiosXqnRs5jUvmH3V40MH-XvJiUXlI1BIOewC23bWYp15xOC8IfPtkNmN0nR7Wi_0vJRipIH5_roKsWklmuWTtjFd_F33PqVt1Jq9Tqc2mlgArBYcPol-m4GoXCXdVG5d04Cg8ia2OmAEzdLqmCHXm_xO9KOVQZFYo-harhmAzZr\/s728\/download%20%281%29.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyICNLGVeLM-mdMiosXqnRs5jUvmH3V40MH-XvJiUXlI1BIOewC23bWYp15xOC8IfPtkNmN0nR7Wi_0vJRipIH5_roKsWklmuWTtjFd_F33PqVt1Jq9Tqc2mlgArBYcPol-m4GoXCXdVG5d04Cg8ia2OmAEzdLqmCHXm_xO9KOVQZFYo-harhmAzZr\/s728\/download%20%281%29.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/17998","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=17998"}],"version-history":[{"count":9,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/17998\/revisions"}],"predecessor-version":[{"id":18563,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/17998\/revisions\/18563"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/18007"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=17998"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=17998"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=17998"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}