Closed MariasStory closed 3 years ago
You're welcome, Thanks for the question!
Originally, I intended the -f
option as a way of scanning small process/crash dumps so I haven't tested something as big as a memory image. I'll do some testing and get back to you. Feel free to try this yourself, also - I'd be interested to hear how you go if you do.
An alternative solution to your question could be the Volatility Framework. The Malfind plugin should detect process injection the same way as CobaltStrikeScan - and there's also a cobalt strike plugin for volatlity that uses the Malfind plugin. At the moment I think it only includes Beacon v3 signatures but it was the initial inspiration for my tool.
Hey @MariasStory if you're still interested, the new release of CobaltStrikeScan now supports scanning large files such as memory dumps. It unfortunately won't provide any process-related information, but it will do a scan of the raw memory for beacons and output them.
https://github.com/Apr4h/CobaltStrikeScan/releases/tag/1.1.1
Thanks for the interesting/cool solution.
Is your feature request related to a problem? Please describe. Would be nice to be able to scan memory dump.
Describe the solution you'd like Scan memory dump and get offset and configuration
Describe alternatives you've considered https://github.com/JPCERTCC/aa-tools