From 6aefe949eb2b4f6d8fa3a1507234878804f59c0b Mon Sep 17 00:00:00 2001 From: Yun Zheng Hu Date: Mon, 14 Oct 2024 14:12:41 +0200 Subject: [PATCH] Add version detection for Cobalt Strike 4.9 and 4.10 (#66) --- dissect/cobaltstrike/version.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/dissect/cobaltstrike/version.py b/dissect/cobaltstrike/version.py index bab8a56..32c0966 100644 --- a/dissect/cobaltstrike/version.py +++ b/dissect/cobaltstrike/version.py @@ -32,6 +32,8 @@ 70: "Cobalt Strike 4.3 (Mar 03, 2021)", 73: "Cobalt Strike 4.5 (Dec 14, 2021)", 74: "Cobalt Strike 4.7 (Aug 17, 2022)", + 76: "Cobalt Strike 4.9 (Sep 19, 2023)", + 78: "Cobalt Strike 4.10 (Jul 16, 2024)", } """ Max setting enum to Cobalt Strike version mapping """ @@ -77,6 +79,12 @@ 0x63EE0552: "Cobalt Strike 4.8 (Feb 28, 2023)", 0x63EE056C: "Cobalt Strike 4.8 (Feb 28, 2023)", 0x63EE0587: "Cobalt Strike 4.8 (Feb 28, 2023)", + 0x64F88C5E: "Cobalt Strike 4.9 (Sep 19, 2023)", + 0x64F88C9E: "Cobalt Strike 4.9 (Sep 19, 2023)", + 0x64F88CDE: "Cobalt Strike 4.9 (Sep 19, 2023)", + 0x6691500F: "Cobalt Strike 4.10 (Jul 16, 2024)", + 0x66915020: "Cobalt Strike 4.10 (Jul 16, 2024)", + 0x66915022: "Cobalt Strike 4.10 (Jul 16, 2024)", } """ PE export timestamp to Cobalt Strike version mapping """