Fix unknown BeaconSetting names

In dissect.cstruct v4 unknown enum names becomes None, an extra check is done to ensure it has a proper name.
fox-it · Oct 13, 2024 · 3ec47cc · 3ec47cc
1 parent 7a05cc2
commit 3ec47cc
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/dissect/cobaltstrike/beacon.py b/dissect/cobaltstrike/beacon.py
@@ -794,7 +794,7 @@ def settings_map(self, index_type="enum", pretty=False, parse=True) -> MappingPr
  for setting in self.settings_tuple:
  val = setting.value
  if index_type == "name":
- key = setting.index.name
+ key = setting.index.name or str(setting.index)
  elif index_type == "const":
  key = setting.index.value
  else:

diff --git a/tests/test_beacon.py b/tests/test_beacon.py
@@ -311,3 +311,15 @@ def test_beacon_domains_punycode(punycode_beacon_file):
  assert bconfig.domains == ["kçi.com"]
  assert bconfig.domains[0].encode("idna") == b"xn--ki-4ia.com"
  assert b"k\xe7i.com" in bconfig.raw_settings["SETTING_DOMAINS"]
+
+
+def test_beacon_setting_unknown_enum():
+ setting = (
+ beacon.cs_struct.uint16(6969).dumps(),
+ beacon.SettingsType.TYPE_PTR.dumps(),
+ beacon.cs_struct.uint16(3).dumps(),
+ b"foo",
+ )
+ config = beacon.BeaconConfig(b"".join(setting))
+ assert None not in config.settings
+ assert dict(config.settings) == {"BeaconSetting.6969": b"foo"}