{"id":18831752,"url":"https://github.com/flangvik/azurec2relay","last_synced_at":"2026-03-02T17:04:34.594Z","repository":{"id":65537379,"uuid":"338695948","full_name":"Flangvik/AzureC2Relay","owner":"Flangvik","description":"AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.","archived":false,"fork":false,"pushed_at":"2021-02-15T18:06:38.000Z","size":623,"stargazers_count":230,"open_issues_count":0,"forks_count":50,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-10-25T11:48:54.267Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flangvik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-02-14T00:03:52.000Z","updated_at":"2025-10-08T16:29:45.000Z","dependencies_parsed_at":"2023-01-28T02:25:10.108Z","dependency_job_id":null,"html_url":"https://github.com/Flangvik/AzureC2Relay","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Flangvik/AzureC2Relay","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FAzureC2Relay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FAzureC2Relay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FAzureC2Relay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FAzureC2Relay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flangvik","download_url":"https://codeload.github.com/Flangvik/AzureC2Relay/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FAzureC2Relay/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30011190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T17:00:27.440Z","status":"ssl_error","status_checked_at":"2026-03-02T17:00:03.402Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:55:53.546Z","updated_at":"2026-03-02T17:04:34.573Z","avatar_url":"https://github.com/Flangvik.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AzureC2Relay\n\nAzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. The validated C2 traffic is relayed to a team server within the same virtual network that is further restricted by a network security group. Allowing the VM to only expose SSH. \n\n![flow diagram](/images/AzureRelay.png)\n\n# Deploy\nAzureC2Relay is deployed via terraform azure modules as well as some local az cli commands\n\nMake sure you have terraform , az cli and the dotnet core 3.1 runtime installed\n\nWindows (Powershell)\n```\n\u0026([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -runtime dotnet -version 3.1.0\nInvoke-WebRequest 'https://releases.hashicorp.com/terraform/0.14.6/terraform_0.14.6_windows_amd64.zip'  -OutFile 'terraform.zip'\nExpand-Archive -Path terraform.zip -DestinationPath \"$([Environment]::GetFolderPath('ApplicationData'))\\TerraForm\\\"\nsetx PATH \"%PATH%;$([Environment]::GetFolderPath('ApplicationData'))\\TerraForm\\\"\nInvoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\\AzureCLI.msi\n```\n\nMac\n```\ncurl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0\nbrew update \nbrew tap hashicorp/tap\nbrew install hashicorp/tap/terraform\nbrew install azure-cli\n```\n\nUbuntu , Debian\n```\ncurl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0\nwget https://releases.hashicorp.com/terraform/0.14.5/terraform_0.14.5_linux_amd64.zip\nunzip terraform_0.14.5_linux_amd64.zip\nsudo cp terraform /usr/local/bin/terraform\ncurl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash\n```\n\nKali\n```\ncurl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0\nwget https://releases.hashicorp.com/terraform/0.14.5/terraform_0.14.5_linux_amd64.zip\nunzip terraform_0.14.5_linux_amd64.zip\nsudo cp terraform /usr/local/bin/terraform\necho \"deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ stretch main\" | sudo tee /etc/apt/sources.list.d/azure-cli.list\ncurl -L https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -\nsudo apt-get update \u0026\u0026 sudo apt-get install apt-transport-https azure-cli\n```\n\n\n1. Modify the first variables defined in `config.tf` to suit your needs\n1. Replace the dummy \"cobaltstrike-dist.tgz\" with an actual cobaltstrike download \n2. Edit/Replace the Malleable profile inside the Ressources folder (Make sure the profile filename matches the variables you set in step 1)\n2. login with azure `az login` \n3. run `terraform init`\n3. run `terraform apply -auto-approve` to deploy the infra\n4. Wait for the CDN to become active and enjoy!\n\nOnce terraform completes it will provide you with the needed ssh command, the CobaltStrike teamserver will be running inside an tmux session on the deployed VM\n\nWhen your done using the infra, you can remove it with `terraform destroy -auto-approve`","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fazurec2relay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflangvik%2Fazurec2relay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fazurec2relay/lists"}