C2concealer: generates randomized C2 malleable profiles
C2concealer is a command-line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
How it works
We poured over the Cobalt Strike documentation and defined ranges of values that would make sense for each profile attribute. Sometimes that data is as simple as a random integer within some range and other times we need to pick a random value from a python dictionary. Either way, we started tool creation with defining the data that would make a valid profile.
Then we divided each malleable profile section (or block) into a separate .py file, which contains the logic to draw random appropriate values for each attribute and then output a formatted string for that profile block. We concatenate all profile blocks together, run a few quick consistency checks and then run the profile through the Cobalt Strike linter (c2lint). The output is a profile that should work for your engagements. We always recommend testing the profile (including process injection and spawning) prior to running a campaign.
If you’re looking into the code, we recommend starting with these two files: /C2concealer/main.py and /C2concealer/profile.py. After reviewing the comments, check out the individual’s profile block generators in the folder: /C2concealer/components.
git clone https://github.com/FortyNorthSecurity/C2concealer.git
chmod u+x install.sh
Customizing the tool
This is crucial. This is an open-sourced version of a tool we’ve been using privately for about a year. Our private repo has several additional IOCs and a completely different data set. While running the tool provides an excellent start for building a Cobalt Strike malleable profile, we recommend digging into the following areas to customize the data that is randomly populating the tool:
- dns.py (customize the dns subdomains)
- file_type_prepend.py (customize how http-get-server responses look … aka c2 control instructions)
- params.py (two dictionaries containing common parameter names and a generic wordlist)
- post_ex.py (spawn_to process list…definitely change this one)
- reg_headers.py (typical http headers like user-agent and server)
- smb.py (smb pipenames for use when comms go over smb)
- stage.py (data for changing IOCs related to the stager)
- transform.py (payload data transformations…no need to change this)
- urls.py (filetypes and url path components used for building URIs all across the tool…definitely change this)
In addition, you can customize various attributes all throughout the profile generation process. As an example, in the file: “/C2concealer/components/stageblock.py”, you can change the range from which PE image size value is drawn from (near lines 73-74). Please look through all the different files in the components directory.
If you’ve made it this far, then we know you’ll get a lot of use out of this tool. The way we recommend viewing this tool is that we’ve built the skeleton code to automatically generate these profiles, now it’s up to you to think through what values make sense for each attribute for your campaigns and update the data sources.
Copyright (C) 2020 FortyNorthSecurity