Files
Anthropic-Cybersecurity-Skills/skills/analyzing-cobalt-strike-malleable-profiles/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

1.8 KiB

API Reference: Analyzing Cobalt Strike Malleable Profiles

pyMalleableC2

from malleablec2 import Profile
from malleablec2.components import HttpGetBlock, HttpPostBlock, ClientBlock, ServerBlock

# Parse from file or string
p = Profile.from_file("amazon.profile")
p = Profile.from_string(code_string)
p = Profile.from_scratch()

# Set global options
p.set_option("sleeptime", "3000")
p.set_option("jitter", "0")
p.set_option("pipename", "mojo__##")

# HTTP blocks
http_get = HttpGetBlock()
http_get.set_option("uri", "/updates")
client = ClientBlock()
client.add_statement("header", "Accept", "*/*")
http_get.add_code_block(client)
p.add_code_block(http_get)

# AST and reconstruction
print(p.ast.pretty())   # Display AST
print(p)                # Reconstruct source

JARM TLS Fingerprinting

# Scan a single host
python3 jarm.py www.example.com

# Scan with specific port
python3 jarm.py 192.168.1.1 -p 8443

# Batch scan from file
python3 jarm.py -i targets.txt -o results.csv

Fingerprint format: 62-char hybrid hash

  • First 30 chars: cipher + TLS version (10 handshakes x 3 chars)
  • Last 32 chars: truncated SHA256 of cumulative extensions

Known Cobalt Strike JARM Hashes

JARM Hash Description
07d14d16d21d21d07c42d41d00041d... CS default config
07d14d16d21d21d00042d41d00041d... CS with Java 11

dissect.cobaltstrike (Alternative)

from dissect.cobaltstrike import beacon
b = beacon.BeaconConfig.from_file("beacon.bin")
print(b.protocol, b.port, b.sleeptime)

References