Cobalt Strike is a commercial penetration testing tool, which gives security testers access to a large variety of attack capabilities. This tool aims to detect Cobalt Strike servers from traffic telemetry, replacing the much-used endpoint telemetry.
The construction of this project was inspired on the reports How I Meet Your Beacon - Cobalt Strike by MDSec, and How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect by Palo Alto Unit 42.
Clone the repository:
git clone https://github.com/eremit4/cs-discovery.gitOptional - Create a virtualenv before install the dependencies
Note: The use of virtual environments is optional, but recommended. In this way, we avoid possible conflicts in different versions of the project's dependencies. Learn how to install and use virtualenv according to your OS here
Install the dependencies:
pip install -r requirements.txtDiscovering the project capabilities:
python cs_discovery.py --helpRunning against a single target to detect Team Servers using the encoded byte:
python cs_discovery.py --url <target>Running against multiple targets to detect Team Servers using the encoded byte:
python cs_discovery.py --file <filepath>Running against a single target to detect Team Servers using byte encoded and other optional method:
python cs_discovery.py --url <target> --<optional flag>
This project is under the MIT License.