irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/cobalt-strike-workflow.md
+67
View File
@@ -0,0 +1,67 @@
# Cobalt Strike Analysis
> Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux.
**FOR610 Labs:** 3.4
## Steps
### Step 1: Beacon Detection
**Tools:** [[tools/yara|yara]], [[tools/capa|capa]]
Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns.
```bash
yara-rules specimen.bin
capa specimen.exe
```
### Step 2: Configuration Extraction
**Tools:** [[tools/1768-py|1768-py]]
Parse beacon config: 1768.py <sample>. Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config.
```bash
1768.py shellcode.bin
```
### Step 3: Metadata Decryption
**Tools:** [[tools/cs-decrypt-metadata-py|cs-decrypt-metadata-py]]
Decrypt beacon metadata from network captures: cs-decrypt-metadata.py <metadata>. Reveals: computer name, user, process info sent to team server.
```bash
cs-decrypt-metadata.py <metadata_hex>
```
### Step 4: Key Extraction
**Tools:** [[tools/cs-extract-key-py|cs-extract-key-py]]
Extract encryption keys: cs-extract-key.py -f <process_dump>. Recovers AES and HMAC keys used for C2 communication encryption.
```bash
cs-extract-key.py -f <process_dump>
```
### Step 5: Traffic Decryption
**Tools:** [[tools/cs-parse-traffic-py|cs-parse-traffic-py]]
Decrypt C2 traffic: cs-parse-traffic.py -f <pcap> -k <keys>. Reveals: tasking commands, downloaded payloads, exfiltrated data.
```bash
cs-parse-traffic.py -f <capture.pcap> -k <keys_file>
```
### Step 6: Sleep Mask Analysis
**Tools:** [[tools/cs-analyze-processdump-py|cs-analyze-processdump-py]]
Analyze sleep mask: cs-analyze-processdump.py <dump>. Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics.
```bash
cs-analyze-processdump.py <process_dump>
```
### Step 7: Document Findings
Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators.
#cobalt-strike #c2 #beacon #didier-stevens #threat-intel #workflow