Beacon

Overview Extract configuration from a process memory dump containing a running beacon. Initial extraction on the full minidump file fails (TODO: figure out exactly why it fails). Using yara to find the segment where beacon is residing passing that segment to dissect.cobaltstrike allows the proper configuration extraction. Libraries dissect.cobaltstrike minidump yara Samples Sample was chosen somewhat randomly from the results of this virustotal search. VT Search: crowdsourced_yara_rule:000aa75fc2|CobaltStrike_Sleep_Decoder_Indicator trid:"Windows Minidump" from dissect.cobaltstrike.beacon import BeaconConfig from dissect.cobaltstrike import beacon from minidump.minidumpfile import MinidumpFile import yara from pprint import pprint SAMPLE = "../../malware/minidumps/beacon.mdmp" Attempt Extraction on full dump Using the normal method and the iter_beacon_config_blocks method recommened by the documentation. ...