/malleable-c2

Cobalt Strike Malleable C2 Design and Reference Guide

GNU General Public License v3.0GPL-3.0

Cobalt Strike Malleable C2 Design and Reference Guide

This project is intended to serve as reference when designing Cobalt Strike Malleable C2 profiles.

Always verify your profile with ./c2lint [/path/to/my.profile] prior to use!

Malleable C2 Profile Guidance

The following dive deeper into the understanding of Malleable C2

Changelog

20231017 - Updated for CS 4.9

  • Added 4.9 reference profile
  • Updated MalleableExplained.md with new 4.9 options
    • post-ex.cleanup
    • .http-beacon.library

20230801 - Updated for CS 4.8

  • Added 4.8 reference profile
  • Updated MalleableExplained.md with new 4.8 options
    • stage.syscall_method

20221022 - Updated for CS 4.7

  • Added 4.7 reference profile
  • Updated MalleableExplained.md with 4.7 considerations

20220421 - Updated for CS 4.6

  • Added 4.6 reference profile
  • No more '1MB' limit
  • Updated MalleableExplained.md with 4.6 considerations

202112 - Updated for CS 4.5

  • Added 4.5 reference profile
  • Updated MalleableExplained.md with 4.5 considerations

202108 - Added MalleableExplained.md

202103 - Add CS 4.3 Reference Profile

  • Add latest Malleable C2 profile options for Cobalt Strike 4.3
  • Moved dns settings to new dns-beacon section
  • 4.3 Additions
    • dns-beacon
      • beacon
      • get_A
      • get_AAAA
      • get_TXT
      • put_metadata
      • put_output
      • ns_response
    • http-config
      • block_useragents

202011 - Add CS 4.2 Reference Profile

  • Add latest MalleablePE and MalleableC2 options for Cobalt Strike 4.1 and 4.2
  • 4.1 Additions: tcp_frame_header, smb_frame_header, ssh_banner
  • 4.2 Additions:
    • global
      • data_jitter
      • headers_remove
      • ssh_pipename
    • postex
      • pipename
      • thread_hint
      • keylogger
    • stage
      • allocator
      • magic_mz_86|magic_mz_64
      • magic_pe

202003 - CS 4.0 Reference Profile

  • Add CS4.0 reference profile of available malleable C2 options
  • Remove deprecated features (amsi_disable, disable for process injection techniques, etc)

Authors

  • @joevest
  • @001SPARTaN
  • @andrewchiles
  • @Charles-Foster-Kane

License

This project and all individual scripts are under the GNU GPL v3.0 license.