Quick usage:
python3 gimmelogs.py -p ./ -o ./
Recommended usage:
python3 gimmelogs.py -w 16 -m -p ./ -o ./ -e exclude.txt
- Download the CobaltStrike "logs" folder to disk and specify this folder as -p PATH.
- For cleaner reports choose -m
- If you are testing your payloads exclude them via -e
- Specify the -o PATH to generate the reports
Parse CobaltStrike logs and store them in a DB to create reports
optional arguments:
-h, --help show this help message and exit
-w WORKER, --worker WORKER Set amount of workers: default=10
-v, --verbose Activate debugging
-p PATH, --path PATH Directory path to start from generating the DB
-d DATABASE, --database DATABASE Database path: default=./results/log.db
-o OUTPUT, --output OUTPUT Output path for CSV
-m, --minimize Remove unnecessary data: keyloggs,beaconbot,sleep,exit,clear
-e EXCLUDE, --exclude EXCLUDE A file with one IP-Range per line which should be ignored
- Report for input and tasks being issued via CobaltStrike
- Contains INPUT (operator input) and TASK (cna + response from input)
- Report for downloaded and uploaded files
- Contains download.log, INDICATOR (hash and filename) and entries containing the following keyphrases:
- Uploading beaconloader:
- Uploading payload file:
- Tasked beacon to upload
- Not really pretty right now 🤷♂️
- Contains download.log, INDICATOR (hash and filename) and entries containing the following keyphrases:
- Report of the valid beacons. They have the following set:
- Beacon.hostname
- Beacon.joined
- Only beacons with input or tasks are being listed to allow the report to focus on actual actions instead of an complete picture. As a result, beacons which will just be spawned due to persistence and not be used will be ignored.
Beacons which have not been used (no metadata), thus listed under the unknown folder will be ignored- Beacons without associated IDs, usually happens from broken .cna scripts will be ignored
✔ Make it work 😂 ✔ No support for linux as of now :( ❌ Create cleaner download / upload report