pyMalleableC2: Python interpreter for Cobalt Strike Malleable C2 Profiles

by do son · May 3, 2021

A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.

Supports all of the Cobalt Strike Malleable C2 Profile grammar starting from Cobalt Strike version 4.3.

It’s not backwards compatible with previous Cobalt Strike releases.

What are the differences between pyMalleableC2 and other projects of this nature?

Parses profiles with Lark using eBNF notation. This approach is a lot more robust then user-defined regexes, templating engines, or similar methods.
Turns profiles into an Abstract Syntax Tree (AST) which can then be reconstructed back into source code.
Because of the above, pyMalleableC2 allows you to build profiles programmatically or modify them on the fly.
Allows you to validate the syntax of Malleable C2 profiles (Does not perform runtime checks, see the warning below.)
It has AI in the form of a lot of if statements.