Lib.rs

Configuration
#beacon #parser #cobalt-strike

bin+lib sigstrike

Cobalt Strike beacon crawler and parser

by Artem Golubin

5 releases

Uses new Rust 2024

0.1.4 Jul 9, 2025
0.1.3 Jun 26, 2025
0.1.2 Jun 22, 2025
0.1.1 Jun 15, 2025
0.1.0 Jun 14, 2025

#342 in Configuration

Download history 2/week @ 2025-10-15 8/week @ 2025-10-22

296 downloads per month

MIT license

1MB
2K SLoC

SigStrike

A fast Cobalt Strike beacon parser. Parses 1000 beacon under 1 second. Can crawl 1M of potential beacon URLs in under 10 minutes.

Parsing logic in based on dissect.cobaltstrike Python library. The library tries to match the output of dissect.cobaltstrike so it can be used as a drop-in replacement.

You can read my blog post about it here.

Installation

Rust CLI using Cargo

cargo install sigstrike

Using Python and pip

Requires Python 3.9+.

pip install sigstrike

Usage

sigstrike --help

Scanning local files

Parsing a single file

sigstrike process --input-path beacon.bin --output-path beacon.json

Parsing multiple files in a directory

sigstrike process --input-path /path/to/beacons/ --output-path beacons.json

Scanning URLs

sigstrike crawl --input-path urls.txt --output-path beacons.json   --max-concurrent 1000

Using with Python

Extracting beacon data

>> > import sigstrike, pprint, json
>> > data = open("/Users/aa/Downloads/cb.bin", mode="rb").read()
>> > pprint.pprint(json.loads(sigstrike.extract_beacon(data)), indent=2)
{'encrypted': True,
 'guardrail_key': None,
 'guardrailed': False,
 'input_hash': '060e4e8b0226e0bd37745c90c18694b89aec54efee6ccbd7c82a136811d7d66d',
 'items': {'SETTING_BOF_ALLOCATOR': 'VirtualAlloc',
           'SETTING_C2_CHUNK_POST': 0,
           'SETTING_C2_POSTREQ': [['_HEADER',
                                   'Content-Type: '
                                   'application/octet-stream'],
                                  ['BUILD', 'id'],
                                  ['PARAMETER', 'id'],
                                  ['BUILD', 'output'],
                                  ['PRINT', True]],
           'SETTING_C2_RECOVER': [['print', True]],
           'SETTING_C2_REQUEST': [['BUILD', 'metadata'],
                                  ['BASE64', True],
                                  ['HEADER', 'Cookie']],
           'SETTING_C2_VERB_GET': 'GET',
           'SETTING_C2_VERB_POST': 'POST',
           'SETTING_CFG_CAUTION': 0,
           'SETTING_CLEANUP': 0,
           'SETTING_CRYPTO_SCHEME': 0,
           'SETTING_DOMAINS': '....,/ca',
           'SETTING_DOMAIN_STRATEGY': 0,
           'SETTING_DOMAIN_STRATEGY_FAIL_SECONDS': 4294967295,
           'SETTING_DOMAIN_STRATEGY_FAIL_X': 4294967295,
           'SETTING_DOMAIN_STRATEGY_SECONDS': 4294967295,
           'SETTING_EXIT_FUNK': 0,
           'SETTING_GARGLE_NOOK': 0,
           'SETTING_HOST_HEADER': '',
           'SETTING_HTTP_NO_COOKIES': 1,
           'SETTING_JITTER': 0,
           'SETTING_KILLDATE': 0,
           'SETTING_MAXGET': 1048576,
           'SETTING_MAX_RETRY_STRATEGY_ATTEMPTS': 0,
           'SETTING_MAX_RETRY_STRATEGY_DURATION': 0,
           'SETTING_MAX_RETRY_STRATEGY_INCREASE': 0,
           'SETTING_PORT': 5566,
           'SETTING_PROCINJ_ALLOCATOR': 0,
           'SETTING_PROCINJ_BOF_REUSE_MEM': 1,
           'SETTING_PROCINJ_EXECUTE': ['CreateThread',
                                       'SetThreadContext',
                                       'CreateRemoteThread',
                                       'RtlCreateUserThread'],
           'SETTING_PROCINJ_MINALLOC': 0,
           'SETTING_PROCINJ_PERMS': 64,
           'SETTING_PROCINJ_PERMS_I': 64,
           'SETTING_PROCINJ_STUB': 'b50b86d7...4ad8d01781c',
           'SETTING_PROCINJ_TRANSFORM_X64': [['append', ''], ['prepend', '']],
           'SETTING_PROCINJ_TRANSFORM_X86': [['append', ''], ['prepend', '']],
           'SETTING_PROTOCOL': ['HTTP'],
           'SETTING_PROXY_BEHAVIOR': 2,
           'SETTING_PUBKEY': '51a8d41b43f9....9f9bae3fb9b82c43e40e7289',
           'SETTING_SLEEPTIME': 60000,
           'SETTING_SMB_FRAME_HEADER': '',
           'SETTING_SPAWNTO': 'd7a9ca15a07f8....b63020da38aa16',
           'SETTING_SPAWNTO_X64': '%windir%\\sysnative\\rundll32.exe',
           'SETTING_SPAWNTO_X86': '%windir%\\syswow64\\rundll32.exe',
           'SETTING_SUBMITURI': '/submit.php',
           'SETTING_TCP_FRAME_HEADER': '',
           'SETTING_USERAGENT': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows '
                                'NT 6.1; Trident/5.0; BOIE9;ENIN)',
           'SETTING_WATERMARK': ....,
           'SETTING_WATERMARKHASH': 'idv...PjBw=='},
 'xor_key': 46}

Crawling URLs using Python

>> import sigstrike

>> sigstrike.crawl(
    input_path="urls.txt",
    output_path="beacons.json",
    max_concurrent=1000,
    max_retries=3,
    timeout=10
)

Parsing Speed

Processing 1000 beacons takes around 1 second.

[2025-06-14T21:57:40Z INFO  sigstrike::io] Total files found: 614
[2025-06-14T21:56:41Z INFO  sigstrike::cli] Total execution time: 428.313792ms

Crawling Speed

sigstrike crawl --input-path 404_sample.txt --output-path output.json --max-concurrent 8000

Crawl Summary:
  Total URLs processed: 244332
  Found: 337
  Failed: 243995
  Non-matching content type/status: 157100
  Unreachable: 86895
Total execution time: 85.333871001s

Dependencies

~15–33MB
~486K SLoC