threatexpress/random_c2_profile threatexpress/random_c2_profile

  • Stars
    star
    583
  • Rank 76,133 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
threatexpress/random_c2_profile
github

threatexpress

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cobalt Strike random C2 Profile generator

Random C2 Profile Generator

Cobalt Strike random C2 Profile generator

Author: Joe Vest (@joevest)

Overview

This project is meant to quickly generate a random c2 profile. It is basically a Jinja template with random variables. The idea is to focus on randomization vs a cohesive set of values that support a specific threat actor.

Detailed Malleable C2 profile information can be found at https://github.com/threatexpress/malleable-c2/.

!! OPSEC warning using the default profile !!

The default template may not meet your OPSEC needs. Profiles should always be tweaked to meet your specific needs. You can create your own profile template for customization. Custom templates can be save in the templates directory. Copy the default template and modify as needed.

OPSEC WARNING: Highlights of the default profile you should be aware of before using

  • Staging is enabled by default. You should disable this.
  • The default does not support profile variants (see Profile Variants - https://www.cobaltstrike.com/help-malleable-c2)
  • URIs and DNS hosts are not fancy, they are built using a random words from a word list.
  • The process injection setting may not fit your OPSEC needs

Setup

This has been designed and tested with python3

Method 1: Keep your pythons separate and use pipenv (my prefered) - https://pipenv-fork.readthedocs.io/en/latest/basics.html

  • 1st, Install pipenv for your environment
  • 2nd, setup pipenv environment
pipenv --python 3.10
pipenv install
pipenv shell
python random_c2profile.py

Method 2: Via pip3 and the Pipfile

git clone https://github.com/threatexpress/random_c2_profile
cd random_c2_profile
pip3 install -p Pipfile
python3 random_c2profile.py

Generate some profiles

Generate profile from default template

python random_c2profile.py

===================================================================
 ___              _              ___ ___   ___          __ _ _     
| _ \__ _ _ _  __| |___ _ __    / __|_  ) | _ \_ _ ___ / _(_) |___ 
|   / _` | ' \/ _` / _ \ '  \  | (__ / /  |  _/ '_/ _ \  _| | / -_)
|_|_\__,_|_||_\__,_\___/_|_|_|  \___/___| |_| |_| \___/_| |_|_\___|
Cobalt Strike random C2 Profile generator
Joe Vest (@joevest) - 2021
===================================================================

[*] Generating Cobalt Strike Malleable C2 Profile
    Version : 4.7
    template: templates/default_c2profile_template.jinja
[*] Done. Don't forget to validate with c2lint. 
[*] Profile saved to output/UBVOTUIW.profile

Generate profile from custom template

python random_c2profile.py --template templates/my_template.jinja

===================================================================
 ___              _              ___ ___   ___          __ _ _     
| _ \__ _ _ _  __| |___ _ __    / __|_  ) | _ \_ _ ___ / _(_) |___ 
|   / _` | ' \/ _` / _ \ '  \  | (__ / /  |  _/ '_/ _ \  _| | / -_)
|_|_\__,_|_||_\__,_\___/_|_|_|  \___/___| |_| |_| \___/_| |_|_\___|
Cobalt Strike random C2 Profile generator
Joe Vest (@joevest) - 2021
===================================================================

[*] Generating Cobalt Strike Malleable C2 Profile
    Version : 4.7
    template: templates/my_template.jinja
[*] Done. Don't forget to validate with c2lint. 
[*] Profile saved to output/NSJOTVMN.profile

File Descriptions

File Description
c2profile_template.jinja Base template for a c2 profile
variable.py Mapping of python variables to variables used in jinja template. Modify these as you need.
functions.py contains logic for generating data used in a profile. Additional functions can be added and used in a custom profile template.
html_contents.py contains a set of html code used to inject 'random' data into a profile

References

Magic MZ

Word list source

Change Log

Note: Get change log from git using git log --pretty=format:" - %cd - %cn : %s"

  • Thu Jan 5 15:14:34 2023 -0600 - vestjoe : Update readme
  • Thu Jan 5 15:11:23 2023 -0600 - vestjoe : fix for issue https://github.com/threatexpress/random_c2_profile/issu es/12
  • Sat Dec 10 17:01:14 2022 -0600 - GitHub : Merge pull request #11 from threatexpress/custom_profile
  • Sat Dec 10 16:57:34 2022 -0600 - vestjoe : update readme
  • Sat Dec 10 16:54:22 2022 -0600 - vestjoe : add ability to load custom profile template
  • Sat Dec 10 15:43:19 2022 -0600 - vestjoe : updated readme about OPSEC, fixed dependency versions, updated pipenv usage instructions
  • Tue Dec 6 13:24:00 2022 -0600 - vestjoe : update readme
  • Tue Dec 6 13:20:54 2022 -0600 - GitHub : Merge pull request #10 from threatexpress/4.7
  • Tue Dec 6 13:17:17 2022 -0600 - vestjoe : Added 4.7 profile settings, Removed old HTML content template, Added new HTML content template to html_content.py
  • Wed Jun 22 11:58:22 2022 -0500 - GitHub : Merge pull request #6 from Maleick/main
  • Wed Jun 22 11:57:47 2022 -0500 - GitHub : Merge pull request #5 from ceramic-skate0/patch-1
  • Wed Jun 22 11:43:07 2022 -0500 - Maleick : Add Cobalt Strike version variable
  • Mon May 23 13:03:28 2022 -0400 - GitHub : Update readme.md
  • Wed Apr 20 18:44:19 2022 -0500 - GitHub : Merge pull request #4 from threatexpress/cs4.6
  • Wed Apr 20 18:36:29 2022 -0500 - vestjoe : cs4.6 updates
  • Fri Dec 17 13:44:45 2021 -0600 - vestjoe : update for CS 4.5
  • Fri Dec 17 13:26:30 2021 -0600 - GitHub : Merge pull request #2 from Pernat1y/patch-1
  • Sat Sep 11 14:43:27 2021 +0300 - GitHub : Updated readme
  • Mon Aug 30 06:07:18 2021 -0500 - vestjoe : added 4.4 tweaks
  • Mon Aug 30 06:01:47 2021 -0500 - vestjoe : silly bug
  • Thu Aug 26 12:06:33 2021 -0500 - vestjoe : tweaks to DNS settings, host must be lowercase, adjusted dns_sleep options
  • Mon Aug 23 12:50:47 2021 -0500 - vestjoe : Updated for CS 4.4 and added magic mz options
  • Thu May 6 20:05:33 2021 -0500 - vestjoe : fix
  • Thu Apr 29 11:47:00 2021 -0500 - vestjoe : update spawnto to better match x64 and x86 across mutiple version of Windows
  • Wed Apr 28 13:55:57 2021 -0500 - vestjoe : better compatibility
  • Sat Apr 3 15:51:24 2021 -0500 - vestjoe : updated
  • Sat Apr 3 15:49:52 2021 -0500 - vestjoe : updated
  • Sat Apr 3 15:26:49 2021 -0500 - vestjoe : initial

More Repositories

1

malleable-c2

Cobalt Strike Malleable C2 Design and Reference Guide
1,434
star
2

domainhunter

Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names
Python
1,418
star
3

red-team-scripts

A collection of Red Team focused tools, scripts, and notes
PowerShell
1,092
star
4

cs2modrewrite

Convert Cobalt Strike profiles to modrewrite scripts
Python
565
star
5

metatwin

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.
HTML
313
star
6

tinyshell

Python
161
star
7

aggressor-scripts

Cobalt Strike Aggressor Scripts
JavaScript
137
star
8

pasties

A collection of random bits of information common to many individual penetration tests, red teams, and other assessments
Shell
106
star
9

subshell

SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.
Python
73
star
10

threatbox

ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed a natural evolution.
Smarty
69
star
11

invoke-pipeshell

SMB Named Pipe shell
PowerShell
62
star
12

portplow

PortPlow is a distributed port and system scanning & enumeration service. It enables the quick and automated enumeration of ports and services from multiple systems managed by a central console.
JavaScript
53
star
13

edc

Event Data Collector
Python
34
star
14

mythic2modrewrite

Generate Apache mod_rewrite rules for Mythic C2 profiles
Python
25
star
15

threat-mitigation

Threat Mitigation Strategies
22
star
16

procdot_sandbox

ProcDot Malware Sandbox
Python
19
star
17

cobaltstrike_payload_generator

Quickly generate every payload type for each listener and optionally host via HTTP.
13
star
18

threatexpress

HTML
11
star
19

redteamguide

Home of https://redteam.guide
JavaScript
9
star
20

tools

Tools
1
star