/cs-discovery

Detecting Cobalt Strike Team Servers on targets through traffic telemetry.

Primary LanguagePythonMIT LicenseMIT

Cobalt Strike Discovery

Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. This tool aims to detect Cobalt Strike servers from traffic telemetry, replacing the much-used endpoint telemetry.
The construction of this project was inspired on the reports How I Meet Your Beacon - Cobalt Strike by MDSec, and How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect by Palo Alto Unit 42.

👨‍💻 Installing

Clone the repository:

git clone https://github.com/eremit4/cs-discovery.git

Optional - Create a virtualenv before install the dependencies

Note: The use of virtual environments is optional, but recommended. In this way, we avoid possible conflicts in different versions of the project's dependencies. Learn how to install and use virtualenv according to your OS here

Install the dependencies:

pip install -r requirements.txt

🥷️ Using

Discovering the project capabilities:

python cs_discovery.py --help

Running against a single target to detect Team Servers using the encoded byte:

python cs_discovery.py --url <target>

Running against multiple targets to detect Team Servers using the encoded byte:

python cs_discovery.py --file <filepath>

Running against a single target to detect Team Servers using byte encoded and other optional method:

python cs_discovery.py --url <target> --<optional flag>

🔮️ Demo

asciicast

📝 License

This project is under the MIT License.