From 66cc9ecf858e76967cad412c2c4e5333ff9eb2dc Mon Sep 17 00:00:00 2001 From: Nicolas Bareil Date: Tue, 19 Dec 2023 14:23:40 +0100 Subject: [PATCH 1/2] Add entry-point to setup.py to make it easily installable --- parse_beacon_config.py | 5 ++++- setup.py | 5 +++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/parse_beacon_config.py b/parse_beacon_config.py index d232013..788bf18 100644 --- a/parse_beacon_config.py +++ b/parse_beacon_config.py @@ -528,7 +528,7 @@ def parse_encrypted_config(self, version=None, quiet=False, as_json=False): return self.parse_config(version=version, quiet=quiet, as_json=as_json) -if __name__ == '__main__': +def main(): parser = argparse.ArgumentParser(description="Parses CobaltStrike Beacon's configuration from PE, memory dump or URL.") parser.add_argument("beacon", help="This can be a file path or a url (if started with http/s)") parser.add_argument("--json", help="Print as json", action="store_true", default=False) @@ -559,3 +559,6 @@ def parse_encrypted_config(self, version=None, quiet=False, as_json=False): print("[-] Failed to find any beacon configuration") exit(1) + +if __name__ == '__main__': + main() diff --git a/setup.py b/setup.py index 8a8dc84..e6c64ab 100644 --- a/setup.py +++ b/setup.py @@ -12,6 +12,11 @@ long_description=long_description, url="https://github.com/Sentinel-One/CobaltStrikeParser", py_modules=["parse_beacon_config", "beacon_utils"], + entry_points = { + 'console_scripts': [ + 'parse_beacon_config = parse_beacon_config:main', + ], + }, install_requires=["urllib3", "requests", "netstruct==1.1.2", From fbd8c84de3c9ed1101ba698f397f310bf3bf8171 Mon Sep 17 00:00:00 2001 From: Nicolas Bareil Date: Tue, 19 Dec 2023 14:25:21 +0100 Subject: [PATCH 2/2] Update the CLI name --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1d17fa2..5636e52 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Python parser for CobaltStrike Beacon's configuration ## Description -Use `parse_beacon_config.py` for stageless beacons, memory dumps or C2 urls with metasploit compatibility mode (default true). +Use `parse_beacon_config` for stageless beacons, memory dumps or C2 urls with metasploit compatibility mode (default true). Many stageless beacons are PEs where the beacon code itself is stored in the `.data` section and xored with 4-byte key. The script tries to find the xor key and data heuristically, decrypt the data and parse the configuration from it. @@ -12,7 +12,7 @@ The repo now also includes a small commuincation module (comm.py) that can help ## Usage ``` -usage: parse_beacon_config.py [-h] [--json] [--quiet] [--version VERSION] beacon +usage: parse_beacon_config [-h] [--json] [--quiet] [--version VERSION] beacon Parses CobaltStrike Beacon's configuration from PE, memory dump or URL. @@ -28,4 +28,4 @@ optional arguments: ## Extra To use the communication poc copy it to the main folder and run it from there. -For installing the M2Crypto library (a requirement for the poc) on Windows, it's easiest with installers found online, and not through pip. \ No newline at end of file +For installing the M2Crypto library (a requirement for the poc) on Windows, it's easiest with installers found online, and not through pip.