Releases: Apr4h/CobaltStrikeScan
Releases · Apr4h/CobaltStrikeScan
CobaltStrikeScan v.1.1.2
New Features
- CobaltStrikeScan now uses YARA signatures from Neo23x0's Signature Base which significantly improves the detection rate!
Bug Fixes
- Fixed bug preventing some beacon configs being output to console
- Modified YARA rule to improve detection of non-encoded beacon config
CobaltStrikeScan v.1.1.1
New Features
- Users can choose to scan ALL (x64) running processes for Cobalt Strike beacons instead of just injected threads
- '-d' option allows scanning of all dump files in a directory for Cobalt Strike beacons
- Added support for scanning of large dump files (> 2GB) e.g. RAM captures. (won't output process information)
- Added ability to detect and parse non-encoded configuration sections (usually found when trial versions of Cobalt Strike are used)
Bug Fixes
- Scanning a dump file would only parse and output the first beacon detection.
- Stopped outputting multiple instances of the same beacon from a single process/file
CobaltStrikeScan v1.0.1
Fixed bug when parsing undocumented configuration fields in v4 beacons
CobaltStrikeScan v1.0
CobaltStrikeScan standalone .NET assembly.
Requires .NET Framework v4.6 and 64-bit Windows