Cobalt Strike beacon config parser. Rust rewrite of Sentinel-One/CobaltStrikeParser.
Extracts beacon settings from PE files, memory dumps, shellcode, and live C2 URLs.
slickaf parse beacon.dll
slickaf scan memory.dmp
slickaf fetch http://10.0.0.1
Outputs C2 servers, sleep/jitter, watermarks, public keys, malleable C2 profiles, process injection config, DNS settings, kill dates — 60+ settings total.
cargo install slickaf
Single static binary. No Python, no OpenSSL, no runtime dependencies.
slickaf parse beacon.bin # PE, DLL, shellcode — figures out the format
slickaf parse beacon.bin --json # structured output
slickaf parse beacon.bin --format toon # token-optimized for LLMs
slickaf scan memory.dmp # SIMD pattern scan
slickaf fetch http://10.0.0.1 --arch x64 # live C2
Beacon configs are XOR-encoded TLV blobs in PE .data sections or raw memory.
PE files — parse with goblin, find .data, detect XOR key by frequency analysis (spectral fallback for small sections), decrypt, extract TLV settings.
Memory dumps — Aho-Corasick multi-pattern scan for CS3/CS4 headers. Each hit scored by spectral analysis to rank real configs above false positives.
Shellcode — find \xff\xff\xff marker, extract XOR key, rolling DWORD decode.
Live C2 — GET /ab2g (x86) or /ab2h (x64), decrypt stager response.
cargo test
268 tests across 5 suites. 6 real beacon samples. 20 configs from Fox-IT's beacon dataset. Property-based fuzzing. Adversarial chaos tests.
MIT