dissect.cobaltstrike.c2profile

This module is responsible for parsing and generating Cobalt Strike Malleable C2 profiles. It uses the lark-parser library for parsing the syntax using the c2profile.lark grammar file.

Attributes

logger

c2profile_parser

Classes

StringIterator

Helper class for iterating over characters in a string

ConfigBlock

Base class for configuration blocks

HttpOptionsBlock

.http-{stager,get,post}.{client,server} block

DataTransformBlock

data_transform block

HttpStagerBlock

.http-stager block

HttpConfigBlock

.http-config block

StageBlock

.stage block

StageTransformBlock

.stage.transform-x86 and .stage.transform-x64 block

ProcessInjectBlock

.process-inject block

HttpGetBlock

.http-get block

HttpPostBlock

.http-post block

PostExBlock

.post-ex block

DnsBeaconBlock

.dns-beacon block

HttpBeaconBlock

.http-beacon block

ExecuteOptionsBlock

.process-inject.execute block

BeaconGateBlock

.stage.beacon_gate block

C2Profile

A C2Profile object represents a parsed Malleable C2 Profile

Functions

value_to_string(→ str)

Converts value to it's STRING Token value

string_token_to_bytes(→ Union[lark.Token, bytes])

Convert a STRING Token value to it's native Python bytes value.

build_parser()

main()

Entrypoint for c2profile-dump.

Module Contents

dissect.cobaltstrike.c2profile.logger[source]
dissect.cobaltstrike.c2profile.c2profile_parser[source]
dissect.cobaltstrike.c2profile.value_to_string(value: str | bytes) str[source]

Converts value to it’s STRING Token value

dissect.cobaltstrike.c2profile.string_token_to_bytes(token: lark.Token) lark.Token | bytes[source]

Convert a STRING Token value to it’s native Python bytes value.

If the input is not of Token.type STRING it will return the original Token.

class dissect.cobaltstrike.c2profile.StringIterator(string: str)[source]

Helper class for iterating over characters in a string

buffer: List[str][source]
index: int = 0[source]
has_next(count: int = 1) bool[source]
next(count: int) List[str][source]
__iter__()[source]
__next__()[source]
class dissect.cobaltstrike.c2profile.ConfigBlock(**kwargs)[source]

Base class for configuration blocks

__name__ = 'ConfigBlock'[source]
tree[source]
init_kwargs(**kwargs)[source]
set_config_block(option, config_block)[source]
set_non_empty_config_block(option, config_block)[source]
set_option(option, value)[source]
_pair(option, value)[source]
_enable(option, value)[source]
_header(option, value)[source]
_parameter(option, value)[source]
class dissect.cobaltstrike.c2profile.HttpOptionsBlock(**kwargs)[source]

Bases: ConfigBlock

.http-{stager,get,post}.{client,server} block

__name__ = 'http_options'[source]
header[source]
parameter[source]
class dissect.cobaltstrike.c2profile.DataTransformBlock(steps=None)[source]

Bases: ConfigBlock

data_transform block

__name__ = 'DataTransformBlock'[source]
property tree[source]
steps = [][source]
termination = [][source]
add_step(option, value)[source]
add_termination(option, value)[source]
class dissect.cobaltstrike.c2profile.HttpStagerBlock(**kwargs)[source]

Bases: ConfigBlock

.http-stager block

__name__ = 'http_stager'[source]
class dissect.cobaltstrike.c2profile.HttpConfigBlock(**kwargs)[source]

Bases: ConfigBlock

.http-config block

__name__ = 'http_config'[source]
header[source]
class dissect.cobaltstrike.c2profile.StageBlock(**kwargs)[source]

Bases: ConfigBlock

.stage block

__name__ = 'stage'[source]
class dissect.cobaltstrike.c2profile.StageTransformBlock(**kwargs)[source]

Bases: ConfigBlock

.stage.transform-x86 and .stage.transform-x64 block

__name__ = 'StageTransformBlock'[source]
strrep[source]
class dissect.cobaltstrike.c2profile.ProcessInjectBlock(**kwargs)[source]

Bases: ConfigBlock

.process-inject block

__name__ = 'process_inject'[source]
class dissect.cobaltstrike.c2profile.HttpGetBlock(**kwargs)[source]

Bases: ConfigBlock

.http-get block

__name__ = 'http_get'[source]
class dissect.cobaltstrike.c2profile.HttpPostBlock(**kwargs)[source]

Bases: ConfigBlock

.http-post block

__name__ = 'http_post'[source]
class dissect.cobaltstrike.c2profile.PostExBlock(**kwargs)[source]

Bases: ConfigBlock

.post-ex block

__name__ = 'post_ex'[source]
class dissect.cobaltstrike.c2profile.DnsBeaconBlock(**kwargs)[source]

Bases: ConfigBlock

.dns-beacon block

__name__ = 'dns_beacon'[source]
class dissect.cobaltstrike.c2profile.HttpBeaconBlock(**kwargs)[source]

Bases: ConfigBlock

.http-beacon block

__name__ = 'http_beacon'[source]
class dissect.cobaltstrike.c2profile.ExecuteOptionsBlock(**kwargs)[source]

Bases: ConfigBlock

.process-inject.execute block

__name__ = 'ExecuteOptionsBlock'[source]
createthread_special[source]
createremotethread_special[source]
createthread[source]
createremotethread[source]
ntqueueapcthread[source]
ntqueueapcthread_s[source]
rtlcreateuserthread[source]
setthreadcontext[source]
classmethod from_execute_list(execute_list=None)[source]
class dissect.cobaltstrike.c2profile.BeaconGateBlock(**kwargs)[source]

Bases: ConfigBlock

.stage.beacon_gate block

__name__ = 'BeaconGateBlock'[source]
none[source]
comms[source]
core[source]
cleanup[source]
all[source]
internetopena[source]
internetconnecta[source]
virtualalloc[source]
virtualallocex[source]
virtualprotect[source]
virtualprotextex[source]
virtualfree[source]
getthreadcontext[source]
setthreadcontext[source]
resumethread[source]
createthread[source]
createremotethread[source]
openprocess[source]
openthread[source]
closehandle[source]
createfilemappinga[source]
mapviewoffile[source]
unmapviewoffile[source]
virtualquery[source]
duplicatehandle[source]
readprocessmemory[source]
writeprocessmemory[source]
exitthread[source]
classmethod from_beacon_gate_option_strings(options: list[str])[source]
class dissect.cobaltstrike.c2profile.C2Profile(**kwargs)[source]

Bases: ConfigBlock

A C2Profile object represents a parsed Malleable C2 Profile

Besides loading C2 Profiles, it also provides methods for building a C2 Profile from scratch.

__name__ = 'start'[source]
_dict_cache[source]
_dict_hash = None[source]
set_option(option, value)[source]

Sets a global option in the AST tree. E.g: set_option("jitter", "6000")

classmethod from_path(path: str | os.PathLike) C2Profile[source]

Construct a C2Profile from given path (path to a malleable C2 profile)

classmethod from_text(source: str) C2Profile[source]

Construct a C2Profile from text (malleable C2 profile syntax)

classmethod from_beacon_config(config: dissect.cobaltstrike.beacon.BeaconConfig) C2Profile[source]

Construct a C2Profile from a BeaconConfig

__str__() str[source]
as_text() str[source]

Return the C2 Profile settings as text (malleable C2 profile syntax).

as_dict() dict[source]

Return the C2 Profile settings as a dictionary

property properties[source]
C2 Profile settings as dictionary, alias for :func:`~dissect.cobaltstrike.c2profile.C2Profile.as_dict`
dissect.cobaltstrike.c2profile.build_parser()[source]
dissect.cobaltstrike.c2profile.main()[source]

Entrypoint for c2profile-dump.