Using Kaitai Struct to Parse Cobalt Strike Beacon Configs

Parsing Beacon Configs: Basics

Two I-TLV structures at the beginning of the sample config.
Config field 0x8 showing an example blob structure in the sample data
config_entry:
seq:
- id: index
type: u2
- id: fieldtype
type: u2
- id: fieldlength
type: u2
- id: fieldvalue
size: fieldlength
type:
switch-on: fieldtype
cases:
1: u2
2: u4
3: bytes
bytes:
seq:
- id: byte_val
type:
switch-on: _parent._parent.index
cases:
11: transform_blocks
12: req_malleablec2
13: req_malleablec2
42: gargle_section
46: procinj_transform
47: procinj_transform
....... SUB STRUCTURES CONTINUE

Beacon Configs: Malleable C2

Comparison showing the binary structure for malleable c2 and the actual written c2 profile.
malleable_block:
seq:
- id: statement
type: u4
enum: transform_actions
- id: statement_value
type:
switch-on: statement
cases:
transform_actions::uheader: length_val_string
transform_actions::uparameter: length_val_string
transform_actions::build: data_transform
transform_actions::uhostheader: length_val_string
if: statement != transform_actions::stop
output {            
base64;
print;
}
Example DataTransform block within the binary structure.
 data_transform:
seq:
- id: type_code
type: u4
- id: transform_statement
type: transform_statement
repeat: until
repeat-until: _.action == <TERMINATION ACTION>
transform_statement:
seq:
- id: action
type: u4
enum: transform_actions
- id: action_args
type:
switch-on: action
cases:
transform_actions::append: length_val_bytes
transform_actions::prepend: length_val_bytes
transform_actions::termination_header: length_val_string
transform_actions::termination_parameter: length_val_string
if: <NOT A TERMINATION ACTION>
GraphViz output of my parser structs. This is not very pretty but so easy to generate!
Screenshot of simple HTML/Javascript wrapper POC using my Kaitai Struct Beacon Config Parser. Some wrapping functionality is required to display and pretty print the structure information.

Would I do it again?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store