Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ioc-collection/CobaltStrike/payload_tools
History
avast-ti 05517a132f
Update cs_payload_extractor.py 		2021-07-08 15:09:20 +02:00
..
README.md Update README.md 2021-07-08 15:07:55 +02:00
cs_payload_extractor.py Update cs_payload_extractor.py 2021-07-08 15:09:20 +02:00
cs_payload_parser.py Add files via upload 2021-07-08 01:31:29 +02:00

README.md

Payload tools

Python scripts for extracting and parsing x86 and x64 payloads.

cs_payload_parser.py

Parser support DNS, SMB, TCP Bind/Reverse, HTTP/HTTPS payloads.

Usage:

cs_payload_parser.py <file_or_directory>

Example:

cs_payload_parser.py memdump.bin
cs_payload_parser.py c:\cs_payloads\

Output:

<filename>.log

--------------------------------------------------------------------------------
Filename:	fhttps_raw_x86
--------------------------------------------------------------------------------
Architecture:	x86
Payload type:	HTTPS stager
Payload start:	0x0000
Customer ID:   	0x12345678 | 305419896
--------------------------------------------------------------------------------
Request detail:
Address:	192.168.42.2
Port:		444
Query:		/AYhZ (Beacon_x86 checksum)
--------------------------------------------------------------------------------
Request header:
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)
--------------------------------------------------------------------------------
Curl download command:
curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)" https://192.168.42.2:444/AYhZ
--------------------------------------------------------------------------------
Payload API list:
Offset  | Hash value  | API name
0x009c  | 0x0726774c  | kernel32.dll_LoadLibraryA
0x00af  | 0xa779563a  | wininet.dll_InternetOpenA
0x00cb  | 0xc69f8957  | wininet.dll_InternetConnectA
0x00e7  | 0x3b2e55eb  | wininet.dll_HttpOpenRequestA
0x0100  | 0x869e4675  | wininet.dll_InternetSetOptionA
0x0110  | 0x7b18062d  | wininet.dll_HttpSendRequestA
0x0129  | 0x5de2c5aa  | kernel32.dll_GetLastError
0x0132  | 0x315e2145  | user32.dll_GetDesktopWindow
0x0141  | 0x0be057b7  | wininet.dll_InternetErrorDlg
0x02e9  | 0x56a2b5f0  | kernel32.dll_ExitProcess
0x02fd  | 0xe553a458  | kernel32.dll_VirtualAlloc
0x0318  | 0xe2899612  | wininet.dll_InternetReadFile
--------------------------------------------------------------------------------

cs_payload_extractor.py

Payload extractor and parser for various encoded formats (hex, hex_array, hex_veil, dec_array, chr_array, base64, xor, inflate, gzip).

Usage:

cs_payload_extractor.py <file_or_directory>

Example:

cs_payload_extractor.py memdump.bin
cs_payload_extractor.py c:\cs_payloads\

Output:

<filename>_payload.bin
<filename>_payload.bin.log

--------------------------------------------------------------------------------
CS Payload extractor v1.00                                  Avast Software s.r.o
--------------------------------------------------------------------------------
[*] Extracting file..
--------------------------------------------------------------------------------
Filename:       fhttps_exe_x86
Payload type:   xored_payload
--------------------------------------------------------------------------------
Saved as:       fhttps_exe_x86_payload.bin
--------------------------------------------------------------------------------
[*] Parsing file..
--------------------------------------------------------------------------------
Filename:       fhttps_exe_x86_payload.bin
--------------------------------------------------------------------------------
Architecture:   x86
Payload type:   HTTPS stager
Payload start:  0x0000
Customer ID:    0x12345678 | 305419896
--------------------------------------------------------------------------------
Request detail:
Address:        192.168.42.2
Port:           444
Query:          /IZVc (Beacon_x86 checksum)
--------------------------------------------------------------------------------
Request header:
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP)
--------------------------------------------------------------------------------
Curl download command:
curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP)" https://192.168.42.2:444/IZVc
--------------------------------------------------------------------------------
Payload API list:
Offset  | Hash value  | API name
0x009c  | 0x0726774c  | kernel32.dll_LoadLibraryA
0x00af  | 0xa779563a  | wininet.dll_InternetOpenA
0x00cb  | 0xc69f8957  | wininet.dll_InternetConnectA
0x00e7  | 0x3b2e55eb  | wininet.dll_HttpOpenRequestA
0x0100  | 0x869e4675  | wininet.dll_InternetSetOptionA
0x0110  | 0x7b18062d  | wininet.dll_HttpSendRequestA
0x0129  | 0x5de2c5aa  | kernel32.dll_GetLastError
0x0132  | 0x315e2145  | user32.dll_GetDesktopWindow
0x0141  | 0x0be057b7  | wininet.dll_InternetErrorDlg
0x02e9  | 0x56a2b5f0  | kernel32.dll_ExitProcess
0x02fd  | 0xe553a458  | kernel32.dll_VirtualAlloc
0x0318  | 0xe2899612  | wininet.dll_InternetReadFile
--------------------------------------------------------------------------------