Add FOR610 tool/workflow knowledge base and data pipeline
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
@@ -0,0 +1,69 @@
|
||||
============================================================
|
||||
Cobalt Strike Analysis
|
||||
============================================================
|
||||
|
||||
Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux.
|
||||
|
||||
Related FOR610 Labs: 3.4
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
|
||||
Step 1: Beacon Detection
|
||||
Tools: yara, capa
|
||||
Scan suspect file with YARA rules for CS signatures.
|
||||
capa detects 'receive data from C2' and beacon-like
|
||||
capabilities. Check for: characteristic 200KB+ size,
|
||||
sleep patterns.
|
||||
|
||||
$ yara-rules specimen.bin
|
||||
$ capa specimen.exe
|
||||
|
||||
Step 2: Configuration Extraction
|
||||
Tools: 1768-py
|
||||
Parse beacon config: 1768.py <sample>. Extracts: C2
|
||||
URLs, user-agent, beacon interval, watermark, spawn-to
|
||||
process, named pipes, proxy config.
|
||||
|
||||
$ 1768.py shellcode.bin
|
||||
|
||||
Step 3: Metadata Decryption
|
||||
Tools: cs-decrypt-metadata-py
|
||||
Decrypt beacon metadata from network captures: cs-
|
||||
decrypt-metadata.py <metadata>. Reveals: computer
|
||||
name, user, process info sent to team server.
|
||||
|
||||
$ cs-decrypt-metadata.py <metadata_hex>
|
||||
|
||||
Step 4: Key Extraction
|
||||
Tools: cs-extract-key-py
|
||||
Extract encryption keys: cs-extract-key.py -f
|
||||
<process_dump>. Recovers AES and HMAC keys used for C2
|
||||
communication encryption.
|
||||
|
||||
$ cs-extract-key.py -f <process_dump>
|
||||
|
||||
Step 5: Traffic Decryption
|
||||
Tools: cs-parse-traffic-py
|
||||
Decrypt C2 traffic: cs-parse-traffic.py -f <pcap> -k
|
||||
<keys>. Reveals: tasking commands, downloaded
|
||||
payloads, exfiltrated data.
|
||||
|
||||
$ cs-parse-traffic.py -f <capture.pcap> -k <keys_file>
|
||||
|
||||
Step 6: Sleep Mask Analysis
|
||||
Tools: cs-analyze-processdump-py
|
||||
Analyze sleep mask: cs-analyze-processdump.py <dump>.
|
||||
Detects if beacon encrypts itself in memory during
|
||||
sleep. Useful for memory forensics.
|
||||
|
||||
$ cs-analyze-processdump.py <process_dump>
|
||||
|
||||
Step 7: Document Findings
|
||||
Record: C2 domains/IPs, beacon interval, watermark
|
||||
(operator ID), user-agent strings, named pipe
|
||||
patterns, spawn-to process, malleable C2 profile
|
||||
indicators.
|
||||
|
||||
────────────────────────────────────────────────────────────
|
||||
Tip: 'fhelp cheat <tool>' for full examples
|
||||
'Ctrl+G' for interactive cheatsheet browser
|
||||
Reference in New Issue
Block a user