fox-it / dissect.cobaltstrike
Python library for dissecting and parsing Cobalt Strike related data such as Beacon payloads and Malleable C2 Profiles
☆145Updated 8 months ago
Related projects: ⓘ
- Cobalt Strike Beacon configuration extractor and parser.☆142Updated 3 years ago
- Load any Beacon Object File using Powershell!☆245Updated 2 years ago
- Simple EDR implementation to demonstrate bypass☆152Updated 4 years ago
- Rogue Assembly Hunter is a utility for discovering 'interesting' .NET CLR modules in running processes.☆114Updated 2 years ago
- Open Dataset of Cobalt Strike Beacon metadata (2018-2022)☆122Updated 2 years ago
- Finding secrets in kernel and user memory☆112Updated last year
- Cobalt Strike Beacon Object Files☆158Updated 2 years ago
- Yapscan is a YAra based Process SCANner, aimed at giving more control about what to scan and giving detailed reports on matches.☆55Updated last year
- A collection of Tools and Rules for decoding Brute Ratel C4 badgers☆61Updated 2 years ago
- Apply a filter to the events being reported by windows event logging☆259Updated 3 years ago
- ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Wind…☆156Updated last year
- WNF Code Execution Library Using C#☆108Updated 4 years ago
- A collection of scripts for dealing with Cobalt Strike beacons in Python☆167Updated 3 years ago
- MSI Dump - a tool that analyzes malicious MSI installation packages, extracts files, streams, binary data and incorporates YARA scanner.☆190Updated last year
- VBScript & VBA source-to-source deobfuscator with partial-evaluation☆72Updated last month
- ☆153Updated this week
- ☆110Updated 2 years ago
- This repo will contain the core detection, only for Cobaltstrike's leaked versions. Non-leaked version detections wont be shared☆84Updated 11 months ago
- Scripts for performing and detecting parent PID spoofing☆136Updated 4 years ago
- Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that b…☆229Updated 3 years ago
- Signature-based detection of malware features based on Windows API call sequences. It's like YARA for sandbox API traces!☆80Updated last year
- A fake AMSI Provider which can be used for persistence.☆134Updated 3 years ago
- Execute PowerShell code at the antimalware-light protection level.☆135Updated last year
- A basic emulation of an "RPC Backdoor"☆207Updated 2 years ago
- C# Implementation of the Hell's Gate VX Technique☆208Updated 4 years ago
- ☆123Updated 2 years ago
- Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider☆157Updated last year
- ☆140Updated this week
- Enumerate various traits from Windows processes as an aid to threat hunting☆180Updated 2 years ago