mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-15 15:34:56 +03:00
mukul975
2.7 KiB
2.7 KiB
CobaltStrike Malleable C2 Profile Analysis API Reference
Installation
pip install dissect.cobaltstrike
pip install 'dissect.cobaltstrike[full]' # With PCAP support
pip install pyMalleableC2 # Alternative parser
dissect.cobaltstrike API
Parse Beacon Configuration
from dissect.cobaltstrike.beacon import BeaconConfig
bconfig = BeaconConfig.from_path("beacon.bin")
print(hex(bconfig.watermark)) # 0x5109bf6d
print(bconfig.protocol) # https
print(bconfig.version) # BeaconVersion(...)
print(bconfig.settings) # Full config dict
Parse Malleable C2 Profile
from dissect.cobaltstrike.c2profile import C2Profile
profile = C2Profile.from_path("amazon.profile")
config = profile.as_dict()
print(config["useragent"])
print(config["http-get.uri"])
print(config["sleeptime"])
PCAP Analysis
# Extract beacons from PCAP
beacon-pcap --extract-beacons traffic.pcap
# Decrypt traffic with private key
beacon-pcap -p team_server.pem traffic.pcap --beacon beacon.bin
pyMalleableC2 API
from malleableC2 import Profile
profile = Profile.from_file("amazon.profile")
print(profile.sleeptime)
print(profile.useragent)
print(profile.http_get.uri)
print(profile.http_post.uri)
Key Profile Settings
| Setting | Description | Detection Value |
|---|---|---|
sleeptime |
Callback interval (ms) | Low values = aggressive beaconing |
jitter |
Sleep randomization % | Timing analysis evasion |
useragent |
HTTP User-Agent string | Network signature |
http-get.uri |
GET request URI path | URI-based detection |
http-post.uri |
POST request URI path | URI-based detection |
spawnto_x86 |
32-bit spawn process | Process creation detection |
spawnto_x64 |
64-bit spawn process | Process creation detection |
pipename |
Named pipe pattern | Named pipe monitoring |
dns_idle |
DNS idle IP address | DNS beacon detection |
watermark |
License watermark | Operator attribution |
Suricata Rule Format
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"MALWARE CobaltStrike C2 URI";
flow:established,to_server;
http.uri; content:"/api/v1/status";
http.header; content:"User-Agent: Mozilla/5.0";
sid:9000001; rev:1;
)
CLI Usage
python agent.py --input profile.profile --output report.json
python agent.py --input parsed_config.json --output report.json
References
- dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
- pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
- Unit42 Analysis: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
- Config Extractor: https://github.com/strozfriedberg/cobaltstrike-config-extractor