RedSiege/C2concealer RedSiege/C2concealer

  • Stars
    star
    987
  • Rank 46,382 (Top 1.0 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated 5 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
RedSiege/C2concealer
github

RedSiege

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.

Installation

chmod u+x install.sh
./install.sh

Building Docker image

docker build -t C2concealer .

Running with Docker

docker container run -it -v <cobalt_strike_location>:/usr/share/cobaltstrike/ C2concealer --hostname google.com --variant 3

Example Usage

Usage:
	$ C2concealer --hostname google.com --variant 3

Flags:
	
	(optional)
	--hostname 
		The hostname used in HTTP client and server side settings. Default is None.
	--variant 
		An integer defining the number of HTTP client/server variants to generate. 
		Recommend between 1 and 5. Max 10.

Example Console Output

root@kali:~# C2concealer --variant 1 --hostname google.com
[i] Searching for the c2lint tool on your system (part of Cobalt Strike). Might take 10-20 seconds.
[i] Found c2lint in the /opt/cobaltstrike/c2lint directory.

Choose an SSL option:
1. Self-signed SSL cert (just input a few details)
2. LetsEncrypt SSL cert (requies a temporary A record for the relevant domain to be pointed to this machine)
3. Existing keystore
4. No SSL

[?] Option [1/2/3/4]:

Tip: Always use an SSL certificate. Preferably a cert from LetsEncrypt or similar.

Tip: HTTP Variants allow you to select different IOCs for http traffic on different beacons. Recommend a value of at least 1.

How it works

We poured over the Cobalt Strike documentation and defined ranges of values that would make sense for each profile attribute. Sometimes that data is as simple as a random integer within some range and other times we need to pick a random value from a python dictionary. Either way, we started tool creation with defining the data that would make a valid profile.

Then we divided each malleable profile section (or block) into a separate .py file, which contains the logic to draw random appropriate values for each attribute and then output a formatted string for that profile block. We concatenate all profile blocks together, run a few quick consistency checks and then run the profile through the Cobalt Strike linter (c2lint). The output is a profile that should work for your engagements. We always recommend testing the profile (including process injection and spawning) prior to running a campaign.

If you're looking into the code, we recommend starting with these two files: /C2concealer/main.py and /C2concealer/profile.py. After reviewing the comments, check out individuals profile block generators in the folder: /C2concealer/components.

Customizing the tool

This is crucial. This is an open sourced version of a tool we've been using privately for about a year. Our private repo has several additional IOCs and a completely different data set. While running the tool provides an excellent start for building a Cobalt Strike malleable profile, we recommend digging into the following areas to customize the data that is randomly populating the tool:

/C2concealer/data/

  • dns.py (customize the dns subdomains)
  • file_type_prepend.py (customize how http-get-server repsonses look ... aka c2 control instructions)
  • params.py (two dictionaries containing common parameter names and a generic wordlist)
  • post_ex.py (spawn_to process list...definitely change this one)
  • reg_headers.py (typical http headers like user-agent and server)
  • smb.py (smb pipenames for use when comms go over smb)
  • stage.py (data for changing IOCs related to the stager)
  • transform.py (payload data transformations...no need to change this)
  • urls.py (filetypes and url path components used for building URIs all across the tool...definitely change this)

In addition, you can customize various attributes all throughout the profile generation process. As an example, in the file: "/C2concealer/components/stageblock.py", you can change the range from which PE image size value is drawn from (near lines 73-74). Please look through all the different files in the components directory.

If you've made it this far, then we know you'll get a lot of use out of this tool. The way we recommend viewing this tool is that we've built the skeleton code to automatically generate these profiles, now it's up to you to think through what values make sense for each attribute for your campaigns and update the data sources.

Shoutouts

Big shoutout to Raphael Mudge for constantly improving on the malleable profile feature set and the documentation to learn about it. Also, huge thanks to @killswitch-GUI for his script that automates LetsEncrypt cert generation for CS team servers. Finally, two blog posts that made life so much easier: @bluescreenofjeff's post (https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) and Joe Vest's post (https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b).

Version Changelog

Version 1.0

  • Public version of FortyNorth Security's internal tool.
  • Added support for CS 4.0 (specifically multiple HTTP variants)
  • Updated README.md

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
798
star
3

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
623
star
4

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
5

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
6

EXCELntDonut

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Python
498
star
7

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
8

EDD

Enumerate Domain Data
C#
312
star
9

PersistAssist

Fully modular persistence framework
C#
249
star
10

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
11

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
12

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
13

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
14

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
15

jargon

Python
114
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star