https://bluescreenofjeff.com/2017-08-30-randomized-malleable-c2-profiles-made-easy/
Malleable Command and Control (C2) profiles provide red teamers and penetration testers with a wealth of options to modify how Cobalt Strike both appears on the wire and on the compromised host. Malleable C2 can be used to impersonate actual threat actors or normal web traffic. As with every advancement in offensive tradecraft, blue teams and defensive products are bound to implement static signature-based protections. In my opinion, a defender should use any resources available, including signature-based detections; however, they shouldn’t rely on any one defensive technique. As red teamers, it’s our job to exercise the blue team’s controls and processes and this is precisely what Malleable C2 profiles permit us to exercise.
In this blog post, I’ll detail a script I wrote to randomize Malleable C2 profiles, allowing us to customize the same profile template every time we use it and hopefully reduce the chances of flagging static, signature-based detection controls. The script is available here.
The script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage, replacing keywords with random, pre-configured strings. In short, the script parses the provided template, substitutes the variables for a random value from either a provided or built-in wordlist, tests the new template with c2lint, and (if there are no c2lint errors) outputs the new Malleable C2 profile.
I’ve provided sample Malleable C2 profiles that are compatible with the script in the Sample Templates directory of the script repo.
Here is a sample of a profile that has been modified to use the script’s metalanguage, followed by a resulting profile:
# This profile has been modified to use with the Malleable C2 Profile Randomizer
#
# Amazon browsing traffic profile
#
# Author: @harmj0y
#
set sleeptime "%%number:2%%00";
set jitter "1%%number%%";
set maxdns "24%%number%%";
set useragent "%%useragent%%";
http-get {
set uri "/s/ref=nb_sb_noss_1/%%number:3%%-%%number:8%%-%%number:7%%/field-keywords=%%word%%";
client {
header "Accept" "*/*";
header "Host" "www.amazon.com";
metadata {
base64;
prepend "session-token=";
prepend "skin=noskin;";
append "csm-hit=s-%%alphanumeric:20%%|%%number:13%%";
header "Cookie";
}
}
}
# This profile has been modified to use with the Malleable C2 Profile Randomizer
#
# Amazon browsing traffic profile
#
# Author: @harmj0y
#
set sleeptime "7400";
set jitter "19";
set maxdns "246";
set useragent "Mozilla/5.0 (Windows NT 10.0; WOW64)";
http-get {
set uri "/s/ref=nb_sb_noss_1/684-10075672-1686806/field-keywords=year";
client {
header "Accept" "*/*";
header "Host" "www.amazon.com";
metadata {
base64;
prepend "session-token=";
prepend "skin=noskin;";
append "csm-hit=s-ub5oBmGd0pnDoImCjDyK|2539750656854";
header "Cookie";
}
}
}
Porting existing profiles is straightforward, as shown with the Amazon profile above. To start, replace or add any global settings with the appropriate script variables, such as useragent and spawnto. It’s worth the time to build as many of these options into the profile template as possible, as they will vary the traffic from the stock profile even more. Next, replace any long or seemingly random strings with the appropriate metalanguage characterset, such as those on line 16 above.
The script requires a modified Malleable C2 profile as input with profile (or p). If you intend to have c2lint test the profile before saving (recommended), either run the script from your Cobalt Strike directory or provide the Cobalt Strike directory with the cobalt (d) parameter. All other parameters are optional and will use built-in lists if a custom list is not provided.
Full usage options:
python malleable-c2-randomizer.py [-h] -profile PROFILE
[-count COUNT]
[-cobalt COBALT]
[-output OUTPUT]
[-notest]
[-charset CHARSET]
[-wordlist WORDLIST]
[-useragent USERAGENT]
[-spawnto SPAWNTO]
[-pipename PIPENAME]
[-pipename_stager PIPENAME_STAGER]
[-dns_stager_subhost DNS_STAGER_SUBHOST]
Parameter Description
-profile, -p Path to the Malleable C2 template to randomize (REQUIRED)
-count, -c The number of randomized profiles to create {Default = 1}
-cobalt, -d The directory where Cobalt Strike is located (for c2lint) {Default = current directory}
-output, -o Output base name {Default = template basename and random string}
-notest, -n Skip testing with c2lint (Flag)
If no wordlist is provided, a built-in list will be used by default. For more information about creating these lists, see below or the Sample Wordlists folder in the script repo.
Parameter Description
-charset File with a custom characterset to use with the %%customchar%% variable
-wordlist File with a list of custom words to use with the %%word%% variable
-useragent File with a list of useragents
-spawnto File with a list of custom spawnto processes
-pipename File with a list of custome pipenames
-pipename_stager File with a list of custom pipename_stagers
-dns_stager_subhost File with a list of custom dns_stager_subhosts