CAPE icon indicating copy to clipboard operation
CAPE copied to clipboard
verified publisher icon ctxis

Invalid URL under C2Server

Open CrimsonGlory opened this issue 4 years ago • 1 comments

In the CAPE report, inside CAPE.configs, in a CobalStrike sample, I found the following value under "C2Server": 185.150.119.33,/pixel

There is a "," (comma) between the IP and the path which renders the URL invalid. Is this on purpose or is this a bug?

The sample hash is 1b9309cc3159a8dc44bcde02642e559b65d1065f

CrimsonGlory avatar Mar 22 '21 19:03 CrimsonGlory

This comma is in the CS config data so not a bug - the parser just displays it as is. The original parser is from: https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py

Unfortunately this is the wrong (dead) repo so I can't close this issue

kevoreilly avatar Mar 22 '21 21:03 kevoreilly