Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/threatexpress/random_c2_profile

Cobalt Strike random C2 Profile generator
https://github.com/threatexpress/random_c2_profile

Last synced: 3 months ago
JSON representation

Cobalt Strike random C2 Profile generator

Host: GitHub
URL: https://github.com/threatexpress/random_c2_profile
Owner: threatexpress
License: gpl-3.0
Created: 2021-04-03T20:39:29.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-01-05T21:17:00.000Z (almost 2 years ago)
Last Synced: 2024-06-06T23:40:24.487Z (5 months ago)
Language: Python
Size: 77.1 KB
Stars: 604
Watchers: 13
Forks: 85
Open Issues: 0
Metadata Files:
- Readme: readme.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - threatexpress/random_c2_profile - Cobalt Strike random C2 Profile generator (Python)

README

        # Random C2 Profile Generator

Cobalt Strike random C2 Profile generator

Author: Joe Vest (@joevest)

## Overview

This project is meant to quickly generate a random c2 profile. It is basically a Jinja template with random variables. The idea is to focus on randomization vs a cohesive set of values that support a specific threat actor.

Detailed Malleable C2 profile information can be found at https://github.com/threatexpress/malleable-c2/. 

!! OPSEC warning using the default profile !!

The default template may not meet your OPSEC needs. Profiles should always be tweaked to meet your specific needs. You can create your own profile template for customization. Custom templates can be save in the templates directory. Copy the default template and modify as needed.

### OPSEC WARNING: Highlights of the default profile you should be aware of before using

- Staging is enabled by default. You should disable this.

- The default does not support profile variants (see Profile Variants - https://www.cobaltstrike.com/help-malleable-c2)

- URIs and DNS hosts are not fancy, they are built using a random words from a word list.

- The process injection setting may not fit your OPSEC needs

## Setup

This has been designed and tested with python3

### Method 1: Keep your pythons separate and use pipenv (my prefered) - https://pipenv-fork.readthedocs.io/en/latest/basics.html

- 1st, Install pipenv for your environment

- 2nd, setup pipenv environment

```

pipenv --python 3.10

pipenv install

pipenv shell

python random_c2profile.py

```

### Method 2: Via pip3 and the Pipfile

```

git clone https://github.com/threatexpress/random_c2_profile

cd random_c2_profile

pip3 install -p Pipfile

python3 random_c2profile.py

```

## Generate some profiles

#### Generate profile from default template

```

python random_c2profile.py

===================================================================

 ___              _              ___ ___   ___          __ _ _     

| _ \__ _ _ _  __| |___ _ __    / __|_  ) | _ \_ _ ___ / _(_) |___ 

|   / _` | ' \/ _` / _ \ '  \  | (__ / /  |  _/ '_/ _ \  _| | / -_)

|_|_\__,_|_||_\__,_\___/_|_|_|  \___/___| |_| |_| \___/_| |_|_\___|

Cobalt Strike random C2 Profile generator

Joe Vest (@joevest) - 2021

===================================================================

[*] Generating Cobalt Strike Malleable C2 Profile

    Version : 4.7

    template: templates/default_c2profile_template.jinja

[*] Done. Don't forget to validate with c2lint. 

[*] Profile saved to output/UBVOTUIW.profile

```

#### Generate profile from custom template

```

python random_c2profile.py --template templates/my_template.jinja

===================================================================

 ___              _              ___ ___   ___          __ _ _     

| _ \__ _ _ _  __| |___ _ __    / __|_  ) | _ \_ _ ___ / _(_) |___ 

|   / _` | ' \/ _` / _ \ '  \  | (__ / /  |  _/ '_/ _ \  _| | / -_)

|_|_\__,_|_||_\__,_\___/_|_|_|  \___/___| |_| |_| \___/_| |_|_\___|

Cobalt Strike random C2 Profile generator

Joe Vest (@joevest) - 2021

===================================================================

[*] Generating Cobalt Strike Malleable C2 Profile

    Version : 4.7

    template: templates/my_template.jinja

[*] Done. Don't forget to validate with c2lint. 

[*] Profile saved to output/NSJOTVMN.profile

```

## File Descriptions

File                     | Description

-------------------------|------------

c2profile_template.jinja | Base template for a c2 profile

variable.py              | Mapping of python variables to variables used in jinja template. Modify these as you need. 

functions.py             | contains logic for generating data used in a profile. Additional functions can be added and used in a custom profile template.

html_contents.py         | contains a set of html code used to inject 'random' data into a profile

## References

- http://threatexpress.com/blogs/2018/a-deep-dive-into-cobalt-strike-malleable-c2/

- https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/

- https://github.com/threatexpress/malleable-c2/

- https://github.com/FortyNorthSecurity/C2concealer/

### Magic MZ

- https://www.redteam.cafe/red-team/shellcode-injection/magic_mz_x86-and-magic_mz_x64

### Word list source

- https://raw.githubusercontent.com/chrislockard/api_wordlist/master/objects.txt

- https://raw.githubusercontent.com/chrislockard/api_wordlist/master/actions.txt

## Change Log

Note: Get change log from git using `git log --pretty=format:"  - %cd - %cn : %s"`

- Thu Jan 5 15:14:34 2023 -0600 - vestjoe : Update readme

- Thu Jan 5 15:11:23 2023 -0600 - vestjoe : fix for issue https://github.com/threatexpress/random_c2_profile/issu

es/12

- Sat Dec 10 17:01:14 2022 -0600 - GitHub : Merge pull request #11 from threatexpress/custom_profile

- Sat Dec 10 16:57:34 2022 -0600 - vestjoe : update readme

- Sat Dec 10 16:54:22 2022 -0600 - vestjoe : add ability to load custom profile template

- Sat Dec 10 15:43:19 2022 -0600 - vestjoe : updated readme about OPSEC, fixed dependency versions, updated pipenv 

usage instructions

- Tue Dec 6 13:24:00 2022 -0600 - vestjoe : update readme

- Tue Dec 6 13:20:54 2022 -0600 - GitHub : Merge pull request #10 from threatexpress/4.7

- Tue Dec 6 13:17:17 2022 -0600 - vestjoe : Added 4.7 profile settings, Removed old HTML content template, Added new HTML content template to html_content.py

- Wed Jun 22 11:58:22 2022 -0500 - GitHub : Merge pull request #6 from Maleick/main

- Wed Jun 22 11:57:47 2022 -0500 - GitHub : Merge pull request #5 from ceramic-skate0/patch-1

- Wed Jun 22 11:43:07 2022 -0500 - Maleick : Add Cobalt Strike version variable

- Mon May 23 13:03:28 2022 -0400 - GitHub : Update readme.md

- Wed Apr 20 18:44:19 2022 -0500 - GitHub : Merge pull request #4 from threatexpress/cs4.6

- Wed Apr 20 18:36:29 2022 -0500 - vestjoe : cs4.6 updates

- Fri Dec 17 13:44:45 2021 -0600 - vestjoe : update for CS 4.5

- Fri Dec 17 13:26:30 2021 -0600 - GitHub : Merge pull request #2 from Pernat1y/patch-1

- Sat Sep 11 14:43:27 2021 +0300 - GitHub : Updated readme

- Mon Aug 30 06:07:18 2021 -0500 - vestjoe : added 4.4 tweaks

- Mon Aug 30 06:01:47 2021 -0500 - vestjoe : silly bug

- Thu Aug 26 12:06:33 2021 -0500 - vestjoe : tweaks to DNS settings, host must be lowercase, adjusted dns_sleep options

- Mon Aug 23 12:50:47 2021 -0500 - vestjoe : Updated for CS 4.4 and added magic mz options

- Thu May 6 20:05:33 2021 -0500 - vestjoe : fix

- Thu Apr 29 11:47:00 2021 -0500 - vestjoe : update spawnto to better match x64 and x86 across mutiple version of Windows

- Wed Apr 28 13:55:57 2021 -0500 - vestjoe : better compatibility

- Sat Apr 3 15:51:24 2021 -0500 - vestjoe : updated

- Sat Apr 3 15:49:52 2021 -0500 - vestjoe : updated

- Sat Apr 3 15:26:49 2021 -0500 - vestjoe : initial