You can use the command beacon-dump
to dump configuration from Cobalt Strike beacon paylaods.
If the command is not in your path, you can also use run the command using the following Python module:
$ python -m dissect.cobaltstrike.beacon --help
The beacon configuration is usually obfuscated using a single-byte XOR key. beacon-dump
automatically tries all the default xor keys (0x69
and 0x2e
).
In case a beacon uses a non default XOR key you can specify the -a
or --all-xor-keys
argument to check all possible single byte XOR keys. Note that this option is not recommended for large payloads such as memory dumps.
You can also use the -x
or --xorkey
option to specify a known XOR key or a set of keys by repeating the argument:
$ beacon-dump -x 0xAC -x 0xCE -x 0x55 -x 0xED <beacon-file>
The output format can be specified using the -f
or --format
option. The following formats are supported:
normal
: output the beacon configuration in a human readable format of key value pairs (default)dumpstruct
: output the beacon settings usingcstruct.dumpstruct
c2profile
: output the beacon configuration as a malleable C2 profileraw
: output the raw beacon configuration