Closed vinhduong closed 3 years ago
I'm going to test the tool on a 64bit Server 2008 VM to see if I can recreate the issue. It would be helpful to know what version of the .NET Framework you have installed on your server.
After doing some testing, I'll definitely need more information to be able to help you here. I installed .NET Framework version 4.6 (This is a stated requirement for CobaltStrikeScan) on a freshly installed Windows Server 2008 64 bit machine then ran the exact same command with no errors, as per the screenshot below. I also used New-InjectedThread.ps1 to test that the tool runs successfully if it does detect injection.
Next step definitely seems to be checking what version of the .NET framework you have installed...
I used .NetFramework 4.7 on Window Server 2008 64bit. Could you please help me to solve this problem?
I'm still unable to recreate the error you're seeing after installing .NET framework version 4.7. Still detects injected threads just fine from an elevated PowerShell or cmd prompt with the same command-line options as you. Are you using the most current release of CobaltStrikeScan? Did you download it and compile yourself? If so, did you modify any of the code?
I've downloaded https://github.com/Apr4h/CobaltStrikeScan/releases/download/1.0.1/CobaltStrikeScan.zip. I ran CobaltStrikeScan.exe on a VM that has the artifacts of CobalStrike. But I got the result (in the attached picture).
Could you please help me to know this problem? The result that I had was wrong? Thank you for supporting me.
It looks like CobaltStrikeScan is working properly from your screenshot. The tool works by detecting the reflective injection method (OFTEN BUT NOT ALWAYS) used to load the Cobalt Strike beacon into memory before YARA scanning that process' memory for beacon signatures. If the beacon was run from a stageless executable, or for whatever reason, classic / reflective process injection did not occur, CobaltStrikeScan will not detect it in memory.
I might eventually add an option to run the YARA scan against ALL process memory instead of just those with process injection, but currently the tool does not do that.
If you know the process under which the Beacon is running, you could dump all memory associated with that process then use CobaltStrikeScan's -f
option on the memory dump to scan for the Beacon and parse its config. Using procdump from Sysinternals, this would look like procdump -ma <PID>
I've just used procdump and CobaltStrike -f option to get the right result. You can see in the attached picture. I hope the next version of CobaltStrikeScan can scan ALL process. Thank you for supporting.
Please help me, I scanned this tool on my server, but it's failed. You can see the attached pitures