Port and Sleep Settings reported incorrectly for CS4 beacon
FranticTyping opened this issue · comments
Hi,
Thanks for releasing this tool. Testing it across a couple of samples shows a few incorrectly reported settings for a CS4.0 memory dump:
Port - 450
SleepTime - 50090
Sleep should be 60000 in the above example, and the remote port should be 443. I can't provide the sample in this case, but thought it would be worth highlighting for visibility.
Thanks for the notice! I will check it
I found an example on VT which should help you debug:
Running the sample above through this parser results in:
BeaconType - HTTPS
Port - 450
SleepTime - 50090
MaxGetSize - 1048576
Jitter - 0
MaxDNS - 195
However, the output should be:
Cobalt Strike Config:
0x01 - Beacon type : '0x1 (HTTPS)'
0x02 - Port : 443
0x03 - Polling (ms) : 60000
0x04 - Max Get : 1048576
0x05 - Jitter : 0
0x06 - Max DNS : 255
Looks like the offsets for the Port, Polling and MaxDNS might be wrong?
Hope this helps.
Found the bug and updated the repo :)
You can now try again.
Please comment if it's fixed for you
Just tried it on a few other CS samples and it looks like it's working perfectly now. Thanks again for open sourcing this tool :)