Cobalt Strike random C2 Profile generator

Related tags

Monitoring random_c2_profile
Overview

Random C2 Profile Generator

Cobalt Strike random C2 Profile generator

Author: Joe Vest (@joevest)

This project is designed to generate malleable c2 profiles based on the reference profile at https://github.com/threatexpress/malleable-c2/.

!! This not inteneded for production

!! Generated profiles are designed to be used for testing variations

!! of the reference profile.

Overview

This project is meant to quickly generate a randome c2 profile. It is basically a Jinja template with random variables.

Think of this a randomized version of the reference profiles found here https://github.com/threatexpress/malleable-c2/.

There are other C2 profile generators that may work better for production like https://github.com/FortyNorthSecurity/C2concealer/

Highlights you should be aware of before using

  • Staging is disabled by default
  • This does take advantage of other good practices found in the reference profile, but adds randomization (This is why the project was created)
  • Does NOT use profile variants (see Profile Variants - https://www.cobaltstrike.com/help-malleable-c2)
  • URIs and DNS hosts do not try to be fancy, they are built using a random words from a word list.
  • Settings are consistent across the profie. Each is just randomized.

Setup

This has been designed and tested with python3

Method 1: Quick and easy

pip3 install -r requirements
python random_c2profile.py

Method 2: Keep your pythons separate and use pipenv

  • 1st, Install pipenv for your environment
  • 2nd, setup pipevn environment
pipenv -python 3.8
pipenv install
pipenv shell
python random_c2profile.py

Generate some profiles

python random_c2profile.py
===================================================================
 ___              _              ___ ___   ___          __ _ _     
| _ \__ _ _ _  __| |___ _ __    / __|_  ) | _ \_ _ ___ / _(_) |___ 
|   / _` | ' \/ _` / _ \ '  \  | (__ / /  |  _/ '_/ _ \  _| | / -_)
|_|_\__,_|_||_\__,_\___/_|_|_|  \___/___| |_| |_| \___/_| |_|_\___|
Cobalt Strike random C2 Profile generator
Joe Vest (@joevest) - 2021

Based on the C2 reference profile at 
https://github.com/threatexpress/malleable-c2/

!! Not inteneded for production
!! Generated profiles are designed to be used for testing variations 
!! of the reference profile.
===================================================================

[*] Generating Cobalt Strike 4.3 c2 profile ...
[*] Done. Don't forget to validate with c2lint. 
[*] Profile saved to output/GNAWZGHN.profile

References

Word list source

Comments
  • random HTTP content is not OPSEC safe

    random HTTP content is not OPSEC safe

    Hello,

    thanks for the great project.

    the get_http_content() function returns non OPSEC safe HTTP blob. https://github.com/threatexpress/random_c2_profile/blob/cb71b2e972a15df759caf7b8bd9264a0dbdcee5d/core/functions.py#L91

    Thanks

    opened by superuser5 3
  • Downgrade markupsafe

    Downgrade markupsafe

    Hi,

    Just a little update ^^ Since the version 2.1.0 of markupsafe they removed soft_unicode. Release note: https://markupsafe.palletsprojects.com/en/2.1.x/changes/#version-2-1-0 You can add in requirements.txt: markupsafe==2.0.1

    cheers

    opened by apache-strike 3
  • Typo in functions.py line 291

    Typo in functions.py line 291

    Line contains return str(random.randint(1,4=5) which ends up in:

    random_c2_profile/core/functions.py", line 291
    return str(random.randint(1,4=5))
                                ^
SyntaxError: expression cannot contain assignment, perhaps you meant "=="?

    Probably you intended to type 4*5 (for whatever reason)?

    opened by cyb3rwr3ck 1
  • Jinja2 Error

    Jinja2 Error

    Received error for jinja2 execution after following installation instructions. For some reason during dependency installation, Jinja2 doesn't download the latest version. Fix: pip3 install --upgrade jinja2 jinij2

    opened by beatenyou 0
  • Error: cannot import name 'soft_unicode' from 'markupsafe'

    Error: cannot import name 'soft_unicode' from 'markupsafe'

    Hello

    I am following the installation process on latest kali and experience the error:

        git clone https://github.com/threatexpress/random_c2_profile
    cd random_c2_profile
    pip3 install -r requirements.txt
    pip3 install Pipfile
    python3 random_c2profile.py

    Error:

    python3 random_c2profile.py
Traceback (most recent call last):
  File "/opt/random_c2_profile/random_c2profile.py", line 15, in <module>
    from jinja2 import Template
  File "/usr/local/lib/python3.10/dist-packages/jinja2/__init__.py", line 12, in <module>
    from .environment import Environment
  File "/usr/local/lib/python3.10/dist-packages/jinja2/environment.py", line 25, in <module>
    from .defaults import BLOCK_END_STRING
  File "/usr/local/lib/python3.10/dist-packages/jinja2/defaults.py", line 3, in <module>
    from .filters import FILTERS as DEFAULT_FILTERS  # noqa: F401
  File "/usr/local/lib/python3.10/dist-packages/jinja2/filters.py", line 13, in <module>
    from markupsafe import soft_unicode
ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/lib/python3/dist-packages/markupsafe/__init__.py)

    To solve this i need to downgrade markupsafe:

    pip3 install markupsafe==2.0.1
    opened by superuser5 0
Owner
Threat Express
Threat Express
GitHub
A beacon generator using Cobalt Strike and a variety of tools.

Beaconator is an aggressor script for Cobalt Strike used to generate either staged or stageless shellcode and packing the generated shellcode using your tool of choice.

Capt. Meelo 441 Dec 17, 2022
Code and yara rules to detect and analyze Cobalt Strike

Cobalt Strike Resources This repository contains: analyze.py: a script to analyze a Cobalt Strike beacon (python analyze.py BEACON) extract.py; extrac

Tek 224 Jan 4, 2023
PyBeacon is a collection of scripts for dealing with Cobalt Strike's encrypted traffic.

PyBeacon is a collection of scripts for dealing with Cobalt Strike's encrypted traffic. It can encrypt/decrypt beacon metadata, as well as pa

NCC Group Plc 162 Dec 21, 2022
Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon.

aggrokatz What is this aggrokatz is an Aggressor plugin extension for CobaltStrike which enables pypykatz to interface with the beacons remotely. The

SEC Consult Vulnerability Lab 148 Dec 9, 2022
Cobalt Strike teamserver detection.

Cobalt-Strike-det Cobalt Strike teamserver detection. usage: cobaltstrike_verify.py [-l TARGETS] [-t THREADS] optional arguments: -h, --help show this

TimWhite 17 Sep 27, 2022
Cobalt Strike script for ScareCrow payloads

?? ?? ScareCrow Cobalt Strike intergration CNA A Cobalt Strike script for ScareCrow payload generation. Works only with the binary and DLL Loader. ??

UserX 401 Dec 11, 2022
Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

SysWhispers2BOF Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs. Introduction This script was initially created to fix specific

FalconForce 101 Dec 20, 2022
Cobalt Strike Beacon configuration extractor and parser.

Cobalt Strike Configuration Extractor and Parser Overview Pure Python library and set of scripts to extract and parse configurations (configs) from Co

Stroz Friedberg 102 Dec 18, 2022
CVE-2021-36798 Exp: Cobalt Strike < 4.4 Dos

A denial of service (DoS) vulnerability (CVE-2021-36798) was found in Cobalt Strike. The vulnerability was fixed in the scope of the 4.4 release. More

null 104 Nov 9, 2022
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike < 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

null 37 Nov 9, 2022
Cobalt Strike Sleep Python Bridge

This project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client. NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially support feature. Perhaps this could be something added in the future to the core product.

Cobalt Strike 140 Jan 4, 2023
A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object

melting-cobalt ?? A tool to hunt/mine for Cobalt Strike beacons and "reduce" their beacon configuration for later indexing. Hunts can either be expans

Splunk GitHub 150 Nov 23, 2022
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

null 150 Dec 31, 2022
A Python Instagram Scraper for Downloading Profile's Posts, stories, ProfilePic and See the Details of Particular Instagram Profile.

✔ ✔ InstAstra ⚡ ⚡ ⁜ Description ~ A Python Instagram Scraper for Downloading Profile's Posts, stories, ProfilePic and See the Details of Particular In

null 12 Jun 23, 2022
Cross-platform-profile-pic-changer - Script to change profile pictures across multiple platforms

cross-platform-profile-pic-changer script to change profile pictures across mult

null 4 Jan 17, 2022
An hcaptcha-solving discord account generator; capable of randomizing names, profile pictures, and verifying phone numbers.

discord-account-generator An hcaptcha-solving discord account generator; capable of randomizing names, profile pictures, and verifying phone numbers.

Acier 61 Dec 10, 2022
Simple profile athena generator for Fortnite Private Servers.

Profile-Athena-Generator A simple profile athena generator for Fortnite Private Servers. This profile athena generrator features: Item variants Get al

Fevers 10 Aug 27, 2022
Kellogg bad | Union good | Support strike funds

KelloggBot Credit to SeanDaBlack for the basis of the script. req.py is selenium python bot. sc.js is a the base of the ios shortcut [COMING SOON] Set

null 407 Nov 17, 2022
This is a calculator of strike price distance for options.

Calculator-of-strike-price-distance-for-options This is a calculator of strike price distance for options. Options are a type of derivative. One strat

André Luís Lopes da Silva 4 Dec 30, 2022
This Project is based on NLTK It generates a RANDOM WORD from a predefined list of words, From that random word it read out the word, its meaning with parts of speech , its antonyms, its synonyms

This Project is based on NLTK(Natural Language Toolkit) It generates a RANDOM WORD from a predefined list of words, From that random word it read out the word, its meaning with parts of speech , its antonyms, its synonyms

SaiVenkatDhulipudi 2 Nov 17, 2021