dissect.cobaltstrike.c2profile ============================== .. py:module:: dissect.cobaltstrike.c2profile .. autoapi-nested-parse:: This module is responsible for parsing and generating Cobalt Strike Malleable C2 profiles. It uses the `lark-parser` library for parsing the syntax using the ``c2profile.lark`` grammar file. Attributes ---------- .. autoapisummary:: dissect.cobaltstrike.c2profile.logger dissect.cobaltstrike.c2profile.c2profile_parser Classes ------- .. autoapisummary:: dissect.cobaltstrike.c2profile.StringIterator dissect.cobaltstrike.c2profile.ConfigBlock dissect.cobaltstrike.c2profile.HttpOptionsBlock dissect.cobaltstrike.c2profile.DataTransformBlock dissect.cobaltstrike.c2profile.HttpStagerBlock dissect.cobaltstrike.c2profile.HttpConfigBlock dissect.cobaltstrike.c2profile.StageBlock dissect.cobaltstrike.c2profile.StageTransformBlock dissect.cobaltstrike.c2profile.ProcessInjectBlock dissect.cobaltstrike.c2profile.HttpGetBlock dissect.cobaltstrike.c2profile.HttpPostBlock dissect.cobaltstrike.c2profile.PostExBlock dissect.cobaltstrike.c2profile.DnsBeaconBlock dissect.cobaltstrike.c2profile.HttpBeaconBlock dissect.cobaltstrike.c2profile.ExecuteOptionsBlock dissect.cobaltstrike.c2profile.BeaconGateBlock dissect.cobaltstrike.c2profile.C2Profile Functions --------- .. autoapisummary:: dissect.cobaltstrike.c2profile.value_to_string dissect.cobaltstrike.c2profile.string_token_to_bytes dissect.cobaltstrike.c2profile.build_parser dissect.cobaltstrike.c2profile.main Module Contents --------------- .. py:data:: logger .. py:data:: c2profile_parser .. py:function:: value_to_string(value: Union[str, bytes]) -> str Converts value to it's STRING Token value .. py:function:: string_token_to_bytes(token: lark.Token) -> Union[lark.Token, bytes] Convert a STRING Token value to it's native Python bytes value. If the input is not of Token.type STRING it will return the original Token. .. py:class:: StringIterator(string: str) Helper class for iterating over characters in a string .. py:attribute:: buffer :type: List[str] .. py:attribute:: index :type: int :value: 0 .. py:method:: has_next(count: int = 1) -> bool .. py:method:: next(count: int) -> List[str] .. py:method:: __iter__() .. py:method:: __next__() .. py:class:: ConfigBlock(**kwargs) Base class for configuration blocks .. py:attribute:: __name__ :value: 'ConfigBlock' .. py:attribute:: tree .. py:method:: init_kwargs(**kwargs) .. py:method:: set_config_block(option, config_block) .. py:method:: set_non_empty_config_block(option, config_block) .. py:method:: set_option(option, value) .. py:method:: _pair(option, value) .. py:method:: _enable(option, value) .. py:method:: _header(option, value) .. py:method:: _parameter(option, value) .. py:class:: HttpOptionsBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-{stager,get,post}.{client,server}` block .. py:attribute:: __name__ :value: 'http_options' .. py:attribute:: header .. py:attribute:: parameter .. py:class:: DataTransformBlock(steps=None) Bases: :py:obj:`ConfigBlock` data_transform block .. py:attribute:: __name__ :value: 'DataTransformBlock' .. py:property:: tree .. py:attribute:: steps :value: [] .. py:attribute:: termination :value: [] .. py:method:: add_step(option, value) .. py:method:: add_termination(option, value) .. py:class:: HttpStagerBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-stager` block .. py:attribute:: __name__ :value: 'http_stager' .. py:class:: HttpConfigBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-config` block .. py:attribute:: __name__ :value: 'http_config' .. py:attribute:: header .. py:class:: StageBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.stage` block .. py:attribute:: __name__ :value: 'stage' .. py:class:: StageTransformBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.stage.transform-x86` and `.stage.transform-x64` block .. py:attribute:: __name__ :value: 'StageTransformBlock' .. py:attribute:: strrep .. py:class:: ProcessInjectBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.process-inject` block .. py:attribute:: __name__ :value: 'process_inject' .. py:class:: HttpGetBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-get` block .. py:attribute:: __name__ :value: 'http_get' .. py:class:: HttpPostBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-post` block .. py:attribute:: __name__ :value: 'http_post' .. py:class:: PostExBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.post-ex` block .. py:attribute:: __name__ :value: 'post_ex' .. py:class:: DnsBeaconBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.dns-beacon` block .. py:attribute:: __name__ :value: 'dns_beacon' .. py:class:: HttpBeaconBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.http-beacon` block .. py:attribute:: __name__ :value: 'http_beacon' .. py:class:: ExecuteOptionsBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.process-inject.execute` block .. py:attribute:: __name__ :value: 'ExecuteOptionsBlock' .. py:attribute:: createthread_special .. py:attribute:: createremotethread_special .. py:attribute:: createthread .. py:attribute:: createremotethread .. py:attribute:: ntqueueapcthread .. py:attribute:: ntqueueapcthread_s .. py:attribute:: rtlcreateuserthread .. py:attribute:: setthreadcontext .. py:method:: from_execute_list(execute_list=None) :classmethod: .. py:class:: BeaconGateBlock(**kwargs) Bases: :py:obj:`ConfigBlock` `.stage.beacon_gate` block .. py:attribute:: __name__ :value: 'BeaconGateBlock' .. py:attribute:: none .. py:attribute:: comms .. py:attribute:: core .. py:attribute:: cleanup .. py:attribute:: all .. py:attribute:: internetopena .. py:attribute:: internetconnecta .. py:attribute:: virtualalloc .. py:attribute:: virtualallocex .. py:attribute:: virtualprotect .. py:attribute:: virtualprotextex .. py:attribute:: virtualfree .. py:attribute:: getthreadcontext .. py:attribute:: setthreadcontext .. py:attribute:: resumethread .. py:attribute:: createthread .. py:attribute:: createremotethread .. py:attribute:: openprocess .. py:attribute:: openthread .. py:attribute:: closehandle .. py:attribute:: createfilemappinga .. py:attribute:: mapviewoffile .. py:attribute:: unmapviewoffile .. py:attribute:: virtualquery .. py:attribute:: duplicatehandle .. py:attribute:: readprocessmemory .. py:attribute:: writeprocessmemory .. py:attribute:: exitthread .. py:method:: from_beacon_gate_option_strings(options: list[str]) :classmethod: .. py:class:: C2Profile(**kwargs) Bases: :py:obj:`ConfigBlock` A :class:`C2Profile` object represents a parsed Malleable C2 Profile Besides loading C2 Profiles, it also provides methods for building a C2 Profile from scratch. .. py:attribute:: __name__ :value: 'start' .. py:attribute:: _dict_cache .. py:attribute:: _dict_hash :value: None .. py:method:: set_option(option, value) Sets a global option in the AST tree. E.g: ``set_option("jitter", "6000")`` .. py:method:: from_path(path: Union[str, os.PathLike]) -> C2Profile :classmethod: Construct a :class:`C2Profile` from given path (path to a malleable C2 profile) .. py:method:: from_text(source: str) -> C2Profile :classmethod: Construct a :class:`C2Profile` from text (malleable C2 profile syntax) .. py:method:: from_beacon_config(config: dissect.cobaltstrike.beacon.BeaconConfig) -> C2Profile :classmethod: Construct a :class:`C2Profile` from a :class:`~dissect.cobaltstrike.beacon.BeaconConfig` .. py:method:: __str__() -> str .. py:method:: as_text() -> str Return the C2 Profile settings as text (malleable C2 profile syntax). .. py:method:: as_dict() -> dict Return the C2 Profile settings as a dictionary .. py:property:: properties C2 Profile settings as dictionary, alias for :func:`~dissect.cobaltstrike.c2profile.C2Profile.as_dict` .. py:function:: build_parser() .. py:function:: main() Entrypoint for c2profile-dump.