dissect.cobaltstrike.c2profile

This module is responsible for parsing and generating Cobalt Strike Malleable C2 profiles. It uses the lark-parser library for parsing the syntax using the c2profile.lark grammar file.

Module Contents

Classes

StringIterator	Helper class for iterating over characters in a string
ConfigBlock	Base class for configuration blocks
HttpOptionsBlock	.http-{stager,get,post}.{client,server} block
DataTransformBlock	data_transform block
HttpStagerBlock	.http-stager block
HttpConfigBlock	.http-config block
StageBlock	.stage block
StageTransformBlock	.stage.transform-x86 and .stage.transform-x64 block
ProcessInjectBlock	.process-inject block
HttpGetBlock	.http-get block
HttpPostBlock	.http-post block
PostExBlock	.post-ex block
DnsBeaconBlock	.dns-beacon block
ExecuteOptionsBlock	.process-inject.execute block
C2Profile	A C2Profile object represents a parsed Malleable C2 Profile

Functions

value_to_string(→ str)	Converts value to it's STRING Token value
string_token_to_bytes(→ Union[lark.Token, bytes])	Convert a STRING Token value to it's native Python bytes value.
build_parser()
main()	Entrypoint for c2profile-dump.

Attributes

logger
c2profile_parser

dissect.cobaltstrike.c2profile.logger

dissect.cobaltstrike.c2profile.c2profile_parser

dissect.cobaltstrike.c2profile.value_to_string(value: str | bytes) → str

Converts value to it’s STRING Token value

dissect.cobaltstrike.c2profile.string_token_to_bytes(token: lark.Token) → lark.Token | bytes

Convert a STRING Token value to it’s native Python bytes value.

If the input is not of Token.type STRING it will return the original Token.

class dissect.cobaltstrike.c2profile.StringIterator(string: str)

Helper class for iterating over characters in a string

has_next(count: int = 1) → bool

next(count: int) → List[str]

__iter__()

__next__()

class dissect.cobaltstrike.c2profile.ConfigBlock(**kwargs)

Base class for configuration blocks

__name__ = 'ConfigBlock'

init_kwargs(**kwargs)

set_config_block(option, config_block)

set_non_empty_config_block(option, config_block)

set_option(option, value)

_pair(option, value)

_enable(option, value)

_header(option, value)

_parameter(option, value)

class dissect.cobaltstrike.c2profile.HttpOptionsBlock(**kwargs)

Bases: ConfigBlock

.http-{stager,get,post}.{client,server} block

__name__ = 'http_options'

header

parameter

class dissect.cobaltstrike.c2profile.DataTransformBlock(steps=None)

Bases: ConfigBlock

data_transform block

property tree

__name__ = 'DataTransformBlock'

add_step(option, value)

add_termination(option, value)

class dissect.cobaltstrike.c2profile.HttpStagerBlock(**kwargs)

Bases: ConfigBlock

.http-stager block

__name__ = 'http_stager'

class dissect.cobaltstrike.c2profile.HttpConfigBlock(**kwargs)

Bases: ConfigBlock

.http-config block

__name__ = 'http_config'

header

class dissect.cobaltstrike.c2profile.StageBlock(**kwargs)

Bases: ConfigBlock

.stage block

__name__ = 'stage'

class dissect.cobaltstrike.c2profile.StageTransformBlock(**kwargs)

Bases: ConfigBlock

.stage.transform-x86 and .stage.transform-x64 block

__name__ = 'StageTransformBlock'

strrep

class dissect.cobaltstrike.c2profile.ProcessInjectBlock(**kwargs)

Bases: ConfigBlock

.process-inject block

__name__ = 'process_inject'

class dissect.cobaltstrike.c2profile.HttpGetBlock(**kwargs)

Bases: ConfigBlock

.http-get block

__name__ = 'http_get'

class dissect.cobaltstrike.c2profile.HttpPostBlock(**kwargs)

Bases: ConfigBlock

.http-post block

__name__ = 'http_post'

class dissect.cobaltstrike.c2profile.PostExBlock(**kwargs)

Bases: ConfigBlock

.post-ex block

__name__ = 'post_ex'

class dissect.cobaltstrike.c2profile.DnsBeaconBlock(**kwargs)

Bases: ConfigBlock

.dns-beacon block

__name__ = 'dns_beacon'

class dissect.cobaltstrike.c2profile.ExecuteOptionsBlock(**kwargs)

Bases: ConfigBlock

.process-inject.execute block

__name__ = 'ExecuteOptionsBlock'

createthread_special

createremotethread_special

createthread

createremotethread

ntqueueapcthread

ntqueueapcthread_s

rtlcreateuserthread

setthreadcontext

classmethod from_execute_list(execute_list=None)

class dissect.cobaltstrike.c2profile.C2Profile(**kwargs)

Bases: ConfigBlock

A C2Profile object represents a parsed Malleable C2 Profile

Besides loading C2 Profiles, it also provides methods for building a C2 Profile from scratch.

property properties

C2 Profile settings as dictionary, alias for as_dict()

__name__ = 'start'

set_option(option, value)

Sets a global option in the AST tree. E.g: set_option("jitter", "6000")

classmethod from_path(path: str | os.PathLike) → C2Profile

Construct a C2Profile from given path (path to a malleable C2 profile)

classmethod from_text(source: str) → C2Profile

Construct a C2Profile from text (malleable C2 profile syntax)

classmethod from_beacon_config(config: dissect.cobaltstrike.beacon.BeaconConfig) → C2Profile

Construct a C2Profile from a BeaconConfig

__str__() → str

Return str(self).

as_text() → str

Return the C2 Profile settings as text (malleable C2 profile syntax).

as_dict() → dict

Return the C2 Profile settings as a dictionary

dissect.cobaltstrike.c2profile.build_parser()

dissect.cobaltstrike.c2profile.main()

Entrypoint for c2profile-dump.