mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-16 07:53:18 +03:00
mukul975
96 lines
2.7 KiB
Markdown
96 lines
2.7 KiB
Markdown
# CobaltStrike Malleable C2 Profile Analysis API Reference
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
pip install dissect.cobaltstrike
|
|
pip install 'dissect.cobaltstrike[full]' # With PCAP support
|
|
pip install pyMalleableC2 # Alternative parser
|
|
```
|
|
|
|
## dissect.cobaltstrike API
|
|
|
|
### Parse Beacon Configuration
|
|
```python
|
|
from dissect.cobaltstrike.beacon import BeaconConfig
|
|
|
|
bconfig = BeaconConfig.from_path("beacon.bin")
|
|
print(hex(bconfig.watermark)) # 0x5109bf6d
|
|
print(bconfig.protocol) # https
|
|
print(bconfig.version) # BeaconVersion(...)
|
|
print(bconfig.settings) # Full config dict
|
|
```
|
|
|
|
### Parse Malleable C2 Profile
|
|
```python
|
|
from dissect.cobaltstrike.c2profile import C2Profile
|
|
|
|
profile = C2Profile.from_path("amazon.profile")
|
|
config = profile.as_dict()
|
|
print(config["useragent"])
|
|
print(config["http-get.uri"])
|
|
print(config["sleeptime"])
|
|
```
|
|
|
|
### PCAP Analysis
|
|
```bash
|
|
# Extract beacons from PCAP
|
|
beacon-pcap --extract-beacons traffic.pcap
|
|
|
|
# Decrypt traffic with private key
|
|
beacon-pcap -p team_server.pem traffic.pcap --beacon beacon.bin
|
|
```
|
|
|
|
## pyMalleableC2 API
|
|
|
|
```python
|
|
from malleableC2 import Profile
|
|
|
|
profile = Profile.from_file("amazon.profile")
|
|
print(profile.sleeptime)
|
|
print(profile.useragent)
|
|
print(profile.http_get.uri)
|
|
print(profile.http_post.uri)
|
|
```
|
|
|
|
## Key Profile Settings
|
|
|
|
| Setting | Description | Detection Value |
|
|
|---------|-------------|-----------------|
|
|
| `sleeptime` | Callback interval (ms) | Low values = aggressive beaconing |
|
|
| `jitter` | Sleep randomization % | Timing analysis evasion |
|
|
| `useragent` | HTTP User-Agent string | Network signature |
|
|
| `http-get.uri` | GET request URI path | URI-based detection |
|
|
| `http-post.uri` | POST request URI path | URI-based detection |
|
|
| `spawnto_x86` | 32-bit spawn process | Process creation detection |
|
|
| `spawnto_x64` | 64-bit spawn process | Process creation detection |
|
|
| `pipename` | Named pipe pattern | Named pipe monitoring |
|
|
| `dns_idle` | DNS idle IP address | DNS beacon detection |
|
|
| `watermark` | License watermark | Operator attribution |
|
|
|
|
## Suricata Rule Format
|
|
|
|
```
|
|
alert http $HOME_NET any -> $EXTERNAL_NET any (
|
|
msg:"MALWARE CobaltStrike C2 URI";
|
|
flow:established,to_server;
|
|
http.uri; content:"/api/v1/status";
|
|
http.header; content:"User-Agent: Mozilla/5.0";
|
|
sid:9000001; rev:1;
|
|
)
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --input profile.profile --output report.json
|
|
python agent.py --input parsed_config.json --output report.json
|
|
```
|
|
|
|
## References
|
|
|
|
- dissect.cobaltstrike: https://github.com/fox-it/dissect.cobaltstrike
|
|
- pyMalleableC2: https://github.com/byt3bl33d3r/pyMalleableC2
|
|
- Unit42 Analysis: https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
|
|
- Config Extractor: https://github.com/strozfriedberg/cobaltstrike-config-extractor
|