v1.0.0

This release mainly introduces support for parsing and decrypting Cobalt Strike C2 traffic from PCAP files and also adds Beacon Client support which allows you to connect to a Cobalt Strike Team Server and receive tasks and send back data like a real Beacon.

See also these new tutorials on how to use it:

• Minimal Beacon Client
• Decrypt Cobalt Strike PCAPs

Many thanks to @sud0woodo for laying the groundwork for these features!

What's Changed

• Add new properties to BeaconConfig: public_key, port, jitter, sleeptime, submit_uri #22 #25
• Add netbios_encode and netbios_decode functions to utils.py #23
• Add PE export stamps for Cobalt Strike 4.7 and 4.7.1 #24
• Add support for beacon client and decrypting traffic from PCAP files #25
• Move scripts/artifact.py to it's own beacon-artifact CLI tool #37
• Removed support for Python 3.6 (mainly due to some dependencies not supporting it anymore) #30
• Introduced new pip extras flavours to setup.py #25
  • dissect.cobaltstrike[c2] - for if you want to communicate with Cobalt Strike Team Servers
  • dissect.cobaltstrike[pcap] - for if you want to parse and decrypt PCAPs containing Beacon traffic
  • dissect.cobaltstrike[full] - all of the above but also installs rich for prettier log output

Documentation

• Updated README.rst with screenshots and text for C2 and PCAP support #39
• Get rid of docs/requirements.txt and use pip method for building readthedocs #28 #29
• Added tutorials:
  • Minimal Beacon Client
  • Decrypt Cobalt Strike PCAPs
• Added scripts/*.py to it's own scripts section in documentation.
• Added new CLI tool documentation:
  • beacon-artifact for dumping beacons created with ArtifactKit
  • beacon-client for connecting to a Cobalt Strike Team Server as a beacon client
  • beacon-pcap for parsing and decrypting Cobalt Strike C2 traffic in PCAP files

Full Changelog: v0.2.2...v1.0.0