Cobalt Sentry is a memory scanning tool designed to detect Cobalt Strike beacons and other stealthy malware techniques, such as Hell's Gate and Heaven's Gate, in running processes on Windows systems.
- Scans all running processes or a specific PID.
- Detects Cobalt Strike beacons using various techniques, including:
- SleepMask detection (high entropy memory regions).
- Mask detection (XORed).
- BeaconGate (API redirection techniques).
- UDRL (Userland Reflective Loader) detection.
- XOR-encoded beacon configuration scanning.
- Hell's Gate and Heaven's Gate syscall manipulation detection.
- Supports multi-threaded scanning for efficiency.
- Windows operating system.
- Go installed (1.18 or later).
- Administrator privileges for accessing process memory.
Clone the repository and build the tool:
git clone https://github.com/MazX0p/CobaltSentry.git
cd CobaltSentry
go mod init CobaltSentry
go mod tidy
Build the executable:
GOOS=windows GOARCH=amd64 go build -o CobaltSentry.exe CobaltSentry.goRun the tool with the following options:
Scan all running processes:
CobaltSentry.exe -allScan a specific process by PID:
CobaltSentry.exe -pid <PID>
############################################
# (\\(\\ #
# ( -.-) #
# o((\")(") #
# #
# C O B A L T S E N T R Y #
# Cobalt Strike & Hell's Gate Scanner #
# Created by Mohamed Alzhrani (0xmaz) #
############################################
Scanning in progress...
[!] Suspicious activity detected in PID 1234 at address 0x7ffabcd1234 It Maybe:
- SleepMask Detected: High entropy in memory
- UDRL Detected: Modified or missing PE header
- BeaconGate Detected: API call proxying found
This tool is intended for security research and educational purposes only. The author is not responsible for any misuse or damage caused by this tool.
- Mohamed Alzhrani (0xmaz)
Contributions and improvements are welcome. Feel free to submit pull requests or open issues.
For inquiries or suggestions, please reach out via GitHub issues.