{ "id": "6703ee46-b8b5-470e-9a0e-e541b43f0ad6", "created_at": "2026-04-06T00:08:00.453162Z", "updated_at": "2026-04-10T03:24:24.257693Z", "deleted_at": null, "sha1_hash": "a81c173197ec589de8a8beada4932f335ea4a884", "title": "GitHub - Apr4h/CobaltStrikeScan: Scan files or process memory for CobaltStrike beacons and parse their configuration", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86189, "plain_text": "GitHub - Apr4h/CobaltStrikeScan: Scan files or process memory\r\nfor CobaltStrike beacons and parse their configuration\r\nBy Apr4h\r\nArchived: 2026-04-02 11:44:31 UTC\r\nScan files or process memory for Cobalt Strike beacons and parse their configuration.\r\nCobaltStrikeScan scans Windows process memory for evidence of DLL injection (classic or reflective injection)\r\nand/or performs a YARA scan on the target process' memory for Cobalt Strike v3 and v4 beacon signatures.\r\nAlternatively, CobaltStrikeScan can perform the same YARA scan on a file supplied by absolute or relative path as\r\na command-line argument.\r\nIf a Cobalt Strike beacon is detected in the file or process, the beacon's configuration will be parsed and displayed\r\nto the console.\r\nCloning This Repo\r\nCobaltStrikeScan contains GetInjectedThreads as a submodule. Ensure you use git clone --recursive\r\nhttps://github.com/Apr4h/CobaltStrikeScan.git when cloning CobaltStrikeScan so that the submodule's code\r\nis also downloaded/cloned.\r\nBuilding the Solution\r\nCostura.Fody is configured to embed CommandLine.dll and libyara.NET.dll in the compiled CobaltStrikeScan.exe\r\nassembly. CobaltStrikeScan.exe should then serve as a static, portable version of CobaltStrikeScan. For this to\r\noccur, ensure that the \"Active Solution Platform\" is set to x64 when building.\r\nAcknowledgements\r\nThis project is inspired by the following research / articles:\r\nSpecterOps - Defenders Think in Graphs Too\r\nJPCert - Volatility Plugin for Detecting Cobalt Strike\r\nSentinelLabs - The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration\r\nNeo23x0's Signature Base for high-quality YARA signatures used to detect Cobalt Strike's encoded\r\nconfiguration block.\r\nRequirements\r\n64-bit Windows OS\r\n.NET Framework 4.6\r\nhttps://github.com/Apr4h/CobaltStrikeScan\r\nPage 1 of 3\n\nAdministrator or SeDebugPrivilege is required to scan process memory for injected threads\r\nUsage\r\n -d, --directory-scan Scan all process/memory dump files in a directory for Cobalt Strike beacons\r\n -f, --scan-file Scan a process/memory dump for Cobalt Strike beacons\r\n -i, --injected-threads Scan running (64-bit) processes for injected threads and Cobalt Strike beacons\r\n -p, --scan-processes Scan running processes for Cobalt Strike beacons\r\n -v, --verbose Write verbose output\r\n -w, --write-process-memory Write process memory to file when injected threads are detected\r\n -h, --help Display Help Message\r\n --help Display this help screen.\r\n --version Display version information.\r\nExample\r\nhttps://github.com/Apr4h/CobaltStrikeScan\r\nPage 2 of 3\n\nSource: https://github.com/Apr4h/CobaltStrikeScan\r\nhttps://github.com/Apr4h/CobaltStrikeScan\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/Apr4h/CobaltStrikeScan" ], "report_names": [ "CobaltStrikeScan" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a81c173197ec589de8a8beada4932f335ea4a884.pdf", "text": "https://archive.orkl.eu/a81c173197ec589de8a8beada4932f335ea4a884.txt", "img": "https://archive.orkl.eu/a81c173197ec589de8a8beada4932f335ea4a884.jpg" } }