Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

Emacs Lisp

Swift

OCaml

Solidity

Go

Erlang

Zig

Clojure

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Java

Kotlin

JavaScript

Zig

Nix

Elm

C#

F#

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇺🇸 United States

🇪🇨 Ecuador

🇱🇻 Latvia

🇩🇲 Dominica

🇲🇿 Mozambique

🇻🇦 Vatican City

🇭🇹 Haiti

🇹🇷 Turkey

All Countries Compare Countries

threatexpress/malleable-c2

Stars
1,434
Rank 32,601 (Top 0.7 %)
Language
License
GNU General Publi...
Created about 6 years ago
Updated 9 months ago

threatexpress/malleable-c2

threatexpress

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Cobalt Strike Malleable C2 Design and Reference Guide

Cobalt Strike Malleable C2 Design and Reference Guide

This project is intended to serve as reference when designing Cobalt Strike Malleable C2 profiles.

Always verify your profile with ./c2lint [/path/to/my.profile] prior to use!

Malleable C2 Profile Guidance

The following dive deeper into the understanding of Malleable C2

MalleableExplained.md : Quick profile reference guide
ThreatExpress - A Deep Dive into Cobalt Strike Malleable C2 : Orignal blog post the where the jquery reference profile was created
Understanding Cobalt Strike Profiles : Revised (current) blog on profile guidance
Random Profile Generator : Profile generator with more examples and options for settings

Changelog

20221022 - Updated for CS 4.7

Added 4.7 reference profile
Updated MalleableExplained.md with 4.7 considerations

20220421 - Updated for CS 4.6

Added 4.6 reference profile
No more '1MB' limit
- Add section "Task and Proxy Max Size" with new options
  - set tasks_max_size "1048576";
  - set tasks_proxy_max_size "921600";
  - set tasks_dns_proxy_max_size "71680";
- Additional Considerations for the 'task_' Settings
Updated MalleableExplained.md with 4.6 considerations

202112 - Updated for CS 4.5

Added 4.5 reference profile
Updated MalleableExplained.md with 4.5 considerations

202108 - Added MalleableExplained.md

Reference from Andy Gill (@ZephrFish)
Reference blog: https://blog.zsec.uk/cobalt-strike-profiles/

202103 - Add CS 4.3 Reference Profile

Add latest Malleable C2 profile options for Cobalt Strike 4.3
Moved dns settings to new dns-beacon section
4.3 Additions
- dns-beacon
  - beacon
  - get_A
  - get_AAAA
  - get_TXT
  - put_metadata
  - put_output
  - ns_response
- http-config
  - block_useragents

202011 - Add CS 4.2 Reference Profile

Add latest MalleablePE and MalleableC2 options for Cobalt Strike 4.1 and 4.2
4.1 Additions: tcp_frame_header, smb_frame_header, ssh_banner
4.2 Additions:
- global
  - data_jitter
  - headers_remove
  - ssh_pipename
- postex
  - pipename
  - thread_hint
  - keylogger
- stage
  - allocator
  - magic_mz_86|magic_mz_64
  - magic_pe

202003 - CS 4.0 Reference Profile

Add CS4.0 reference profile of available malleable C2 options
Remove deprecated features (amsi_disable, disable for process injection techniques, etc)

Authors

@joevest
@001SPARTaN
@andrewchiles
@Charles-Foster-Kane

License

This project and all individual scripts are under the GNU GPL v3.0 license.

domainhunter

Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names

red-team-scripts

A collection of Red Team focused tools, scripts, and notes

random_c2_profile

Cobalt Strike random C2 Profile generator

cs2modrewrite

Convert Cobalt Strike profiles to modrewrite scripts

metatwin

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.

tinyshell

aggressor-scripts

Cobalt Strike Aggressor Scripts

pasties

A collection of random bits of information common to many individual penetration tests, red teams, and other assessments

subshell

SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.

threatbox

ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed a natural evolution.

invoke-pipeshell

SMB Named Pipe shell

portplow

PortPlow is a distributed port and system scanning & enumeration service. It enables the quick and automated enumeration of ports and services from multiple systems managed by a central console.

edc

Event Data Collector

mythic2modrewrite

Generate Apache mod_rewrite rules for Mythic C2 profiles

threat-mitigation

Threat Mitigation Strategies

procdot_sandbox

ProcDot Malware Sandbox

cobaltstrike_payload_generator

Quickly generate every payload type for each listener and optionally host via HTTP.

threatexpress

redteamguide

Home of https://redteam.guide

tools