The easiest way to install dissect.cobaltstrike
is to use pip:
$ pip install dissect.cobaltstrike
Python 3.7 or higher is required and it has the following dependencies:
- dissect.cstruct - for structure parsing
- lark - for parsing malleable c2 profiles
The following pip extras flavours are provided as well:
$ pip install dissect.cobaltstrike[c2]
$ pip install dissect.cobaltstrike[pcap]
$ pip install dissect.cobaltstrike[full]
[c2]
for if you want to communicate with Cobalt Strike Team Servers, eg:tools/beacon-client
.[pcap]
for if you want to parse and decrypt PCAPS containing Beacon traffic, eg:tools/beacon-pcap
.[full]
provides the above but also installsrich
for prettier console logging.
If you want to install dissect.cobaltstrike
from source, you can use the following steps:
$ git clone https://github.com/fox-it/dissect.cobaltstrike.git
$ cd dissect.cobaltstrike
$ pip install --editable .[full]
Using a virtual environment is recommended. Using the --editable
flag ensures that any changes you make to the source code directly affects the installed package.
The test suite uses pytest
and using tox
is the recommended way to run the test suite:
$ pip install tox
$ tox
This wil run tests on both Python 3 and PyPy3. To limit to Python 3 only, run:
$ tox -e py3
You can also specify custom arguments to pytest
by appending the arguments after --
(two dashes), e.g. to only run tests with checksum8 in the name including verbose and stdout logging:
$ tox -e py3 -- -vs -k checksum8
Note
The test suite contains zipped beacon payloads that are used as test fixtures and can be unzipped during some tests. Running the test suite on Windows could trigger Windows Defender or your Antivirus.
For linting (black and flake8):
$ tox -e lint
To generate the documentation locally (sphinx):
$ tox -e docs