creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-cobalt-strike-beacon-configuration/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.9 KiB
Raw Blame History

API Reference: Cobalt Strike Beacon Configuration Analysis

Beacon Config TLV Format

Structure

[Field ID: 2 bytes][Type: 2 bytes][Value: variable]
Type 1 = short (2 bytes), Type 2 = int (4 bytes), Type 3 = string/blob (2-byte length + data)

XOR Encoding

Version XOR Key
CS 3.x 0x69
CS 4.x 0x2E

Key Configuration Fields

ID Name Description
1 BeaconType 0=HTTP, 1=Hybrid, 2=SMB, 8=HTTPS
2 Port C2 communication port
3 SleepTime Beacon interval (ms)
5 Jitter Random sleep variation (%)
7 PublicKey RSA public key for encryption
8 C2Server Command and control server(s)
9 UserAgent HTTP User-Agent string
10 PostURI POST callback URI
37 Watermark License watermark (operator ID)
54 PipeName Named pipe for SMB beacons

1768.py (Didier Stevens) - Config Extractor

Syntax

python 1768.py <beacon_file>           # Extract config
python 1768.py -j <beacon_file>        # JSON output
python 1768.py -r <beacon_file>        # Raw config dump

CobaltStrikeParser (SentinelOne)

Syntax

python parse_beacon_config.py <file>
python parse_beacon_config.py --json <file>

Output Fields

BeaconType:        HTTPS
Port:              443
SleepTime:         60000
Jitter:            37
C2Server:          update.microsoft-cdn.com,/api/v2
UserAgent:         Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Watermark:         305419896
SpawnToX86:        %windir%\syswow64\dllhost.exe
SpawnToX64:        %windir%\sysnative\dllhost.exe

JARM Fingerprinting

Cobalt Strike Default JARM

# Default CS JARM hash (pre-4.7)
07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1

# Scan with JARM
python jarm.py <target_ip> -p 443

Known Watermark Values

Watermark Attribution
0 Trial/cracked version
305419896 Common cracked version
1359593325 Known threat actor toolkit
1580103824 Known APT usage

Detection Signatures

Suricata

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"ET MALWARE Cobalt Strike Beacon";
    content:"/submit.php"; http_uri;
    content:"Cookie:"; http_header;
    pcre:"/Cookie:\s[A-Za-z0-9+/=]{60,}/H";
    sid:2028591; rev:1;)

YARA

rule CobaltStrike_Beacon {
    strings:
        $config_v3 = { 00 01 00 01 00 02 ?? ?? 00 01 00 02 }
        $magic = "MSSE-%d-server"
        $pipe = "\\\\.\\pipe\\msagent_"
    condition:
        uint16(0) == 0x5A4D and any of them
}

Malleable C2 Profile Elements

Element Description
http-get GET request profile (URI, headers, metadata transform)
http-post POST request profile (URI, body transform)
set sleeptime Default beacon interval
set jitter Randomization percentage
set useragent HTTP User-Agent
set pipename SMB named pipe name
Reference in New Issue View Git Blame Copy Permalink