Does not work on stageless dll beacons

[CyberKaizen]

Just as I've stated above, we are getting and observing new dlls and this script no longer works.

[Kristal-g]

Hi, I can't do much without a sample or some debug info. Can you provide one of these?

[drb-ra]

Seeing some issues too with cases like this https://www.virustotal.com/gui/file/18a5324220f5f102a20006f58d0dd780614f84ab7a1cc5a08021bf90851ceda4/detection the issue seems to be the size of some fields as doubled, namely UserAgent, Get/PostMetaData

Possible fix below:

        data_offset = full_config_data.find(self.binary_repr())
        if data_offset < 0:
            self.length = self.length << 1
            data_offset = full_config_data.find(self.binary_repr())
            if data_offset < 0:
                return 'Not Found'

[CyberKaizen]

Yes, I can provide a sample.

…

________________________________ From: Kristal-g ***@***.***> Sent: Thursday, March 4, 2021 2:03:08 AM To: Sentinel-One/CobaltStrikeParser ***@***.***> Cc: CyberKaizen ***@***.***>; Author ***@***.***> Subject: Re: [Sentinel-One/CobaltStrikeParser] Does not work on stageless dll beacons (#4) Hi, I can't do much without a sample or some debug info. Can you provide one of these? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#4 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASUBLVZJS6NZ66Q3FAJT6C3TB45DZANCNFSM4YSWM76Q>.

[CyberKaizen]

Before when I uploaded it only 4 out of all the AV were able to detect this, but none saw this as Cobalt Strike. None of the open source yara rules the we had use or Cobalt Strike parser projects were able to process or detect it at the time https://www.virustotal.com/gui/file/4f3db89d47b7e68b45abffc7fea084cc85c87fbd72785884642fe04885c960c3/detection

…

________________________________ From: Mogle Kupo ***@***.***> Sent: Friday, March 12, 2021 11:16:46 AM To: Sentinel-One/CobaltStrikeParser ***@***.***>; Sentinel-One/CobaltStrikeParser ***@***.***> Cc: Author ***@***.***> Subject: Re: [Sentinel-One/CobaltStrikeParser] Does not work on stageless dll beacons (#4) Yes, I can provide a sample.

________________________________ From: Kristal-g ***@***.***> Sent: Thursday, March 4, 2021 2:03:08 AM To: Sentinel-One/CobaltStrikeParser ***@***.***> Cc: CyberKaizen ***@***.***>; Author ***@***.***> Subject: Re: [Sentinel-One/CobaltStrikeParser] Does not work on stageless dll beacons (#4) Hi, I can't do much without a sample or some debug info. Can you provide one of these? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#4 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASUBLVZJS6NZ66Q3FAJT6C3TB45DZANCNFSM4YSWM76Q>.

[drb-ra]

Before when I uploaded it only 4 out of all the AV were able to detect this, but none saw this as Cobalt Strike. None of the open source yara rules the we had use or Cobalt Strike parser projects were able to process or detect it at the time https://www.virustotal.com/gui/file/4f3db89d47b7e68b45abffc7fea084cc85c87fbd72785884642fe04885c960c3/detection
…

Looking at the sample our issues are different. @Kristal-g please let me know if you want me to create a separate issue, or if you just rather take the details and fix from this one.