forked from Sentinel-One/CobaltStrikeParser
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test_parse_beacon_config.py
65 lines (53 loc) · 2.03 KB
/
test_parse_beacon_config.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#! /usr/bin/python3
import io
import os
import unittest
from parse_beacon_config import cobaltstrikeConfig
from zipfile import ZipFile
def decrypt_sample(zip_path):
with ZipFile(zip_path) as z:
for fn in z.namelist():
return io.BytesIO(z.read(fn, pwd=bytes("infected", "ascii")))
class TestBeaconParsing(unittest.TestCase):
def test_non_pe_x86(self):
path = os.path.join(
os.path.dirname(__file__),
"samples",
"13e954be0b0c022c392c956e9a800201a75dab7e288230b835bcdd4a9d68253d.zip",
)
f = decrypt_sample(path)
parser = cobaltstrikeConfig(f)
conf = parser.parse_encrypted_config()
self.assertEqual(conf.get("HttpPostUri"), "/submit.php")
def test_encrypted_x86_64(self):
path = os.path.join(
os.path.dirname(__file__),
"samples",
"10fd211ba97ddf12aecb1e7931d92c3ba37421c362cb1490e0203c1bd88ec141.zip",
)
f = decrypt_sample(path)
parser = cobaltstrikeConfig(f)
conf = parser.parse_encrypted_config()
self.assertEqual(conf.get("PublicKey_MD5"), "d2c8ec15d925e2514714d619022f7cdf")
def test_encrypted_x86(self):
path = os.path.join(
os.path.dirname(__file__),
"samples",
"7773169ca4ea81203a550dfebe53f091a8c57a3a5b12386e51c5a05194fef3ff.zip",
)
f = decrypt_sample(path)
parser = cobaltstrikeConfig(f)
conf = parser.parse_encrypted_config()
self.assertEqual(conf.get("PublicKey_MD5"), "8ac540617dddcdf575f6dc207abb7344")
def test_trial_beacon_x86(self):
path = os.path.join(
os.path.dirname(__file__),
"samples",
"4d1d732125e4d1a3ba0571e0cd892cf8e0dce854387ee405f75df4dcfb0f616b.zip",
)
f = decrypt_sample(path)
parser = cobaltstrikeConfig(f)
conf = parser.parse_config()
self.assertIn('header "CGGGGG"', conf.get("HttpGet_Metadata").get("Metadata"))
if __name__ == "__main__":
unittest.main()