The Agent Skills Directory

[COMMAND_EXECUTION]: The provided Python scripts (scripts/agent.py and scripts/process.py) perform local file system operations strictly related to reading malware samples and writing analysis reports. They use standard libraries for file hashing and size calculation. No instances of arbitrary command execution or shell injection vulnerabilities were detected.
[EXTERNAL_DOWNLOADS]: The skill documentation references established security libraries such as dissect.cobaltstrike, pefile, and yara-python as prerequisites. These are well-known tools in the malware analysis community. The scripts do not perform automated downloads or execute remote code from unverified sources.
[OBFUSCATION]: Static analysis identified the use of XOR operations in the Python scripts. Manual review confirms this logic is used solely for decrypting the configuration blobs within Cobalt Strike beacon samples, which is a required step for forensic analysis. The scripts themselves are written in clear text and do not employ obfuscation to hide their own functionality.
[DATA_EXFILTRATION]: There is no evidence of network operations intended to transmit sensitive data or the results of the analysis to external domains. All extracted indicators (C2 domains, IP addresses, watermarks) are processed locally and output to the terminal or local JSON files.

analyzing-cobalt-strike-beacon-configuration