Are there specific software requirements?

The skill utilizes Python 3.9+ along with specialized libraries such as dissect.cobaltstrike, pefile, and yara-python for deep analysis.

What file types can this skill analyze?

It is designed to extract data from Windows PE files, stageless beacons, shellcode, and raw memory dumps where Cobalt Strike artifacts are present.

What information does it extract from malleable C2 profiles?

It extracts HTTP request/response transformations, including URI paths, headers, User-Agents, and data encoding methods used to disguise traffic.

Can this skill help with attribution?

Yes, by extracting the unique 4-byte watermark embedded in the beacon, analysts can often cross-reference the payload with known leaked licenses or specific threat actor campaigns.

Does it support multiple Cobalt Strike versions?

Yes, it supports both Version 3 (using the 0x69 XOR key) and Version 4 (using the 0x2e XOR key) configuration formats.

Cobalt Strike Beacon Analysis

Name: Cobalt Strike Beacon Analysis
Author: mukul975

bymukul975

•

4,121

•

Seguridad y Pruebas

Extracts and analyzes Cobalt Strike beacon configurations to identify command-and-control infrastructure and attacker tradecraft.

This skill empowers security analysts and incident responders to automate the extraction of critical metadata from Cobalt Strike payloads. By decrypting XOR-encoded configuration blocks within PE files or memory dumps, it reveals C2 domains, malleable profiles, watermarks, and encryption keys. This functionality is essential for mapping attacker infrastructure, generating high-fidelity detection rules, and performing rapid incident attribution during active cybersecurity breaches.

Características Principales

01Automates XOR decryption for Cobalt Strike version 3 and 4 beacons

02Generates YARA rules and network signatures for proactive threat hunting

03Parses Type-Length-Value (TLV) configuration entries for C2 identification

04Extracts malleable C2 profile settings to reveal traffic masking techniques

05Identifies unique watermarks to assist in threat actor attribution

064,121 GitHub stars

Casos de Uso

01Threat hunting for command-and-control infrastructure

02Automated malware analysis for SOC and threat intelligence teams

03Incident response during active malware infections

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-cobalt-strike-beacon-configuration

For use in Claude.ai and ChatGPT

Características Principales

01Automates XOR decryption for Cobalt Strike version 3 and 4 beacons

02Generates YARA rules and network signatures for proactive threat hunting

03Parses Type-Length-Value (TLV) configuration entries for C2 identification

04Extracts malleable C2 profile settings to reveal traffic masking techniques

05Identifies unique watermarks to assist in threat actor attribution

064,121 GitHub stars

Casos de Uso

01Threat hunting for command-and-control infrastructure

02Automated malware analysis for SOC and threat intelligence teams

03Incident response during active malware infections

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills analyzing-cobalt-strike-beacon-configuration

For use in Claude.ai and ChatGPT