dissect.cobaltstrike.c2profile
This module is responsible for parsing and generating Cobalt Strike Malleable C2 profiles.
It uses the lark-parser library for parsing the syntax using the c2profile.lark
grammar file.
Attributes
Classes
Helper class for iterating over characters in a string |
|
Base class for configuration blocks |
|
.http-{stager,get,post}.{client,server} block |
|
data_transform block |
|
.http-stager block |
|
.http-config block |
|
.stage block |
|
.stage.transform-x86 and .stage.transform-x64 block |
|
.process-inject block |
|
.http-get block |
|
.http-post block |
|
.post-ex block |
|
.dns-beacon block |
|
.http-beacon block |
|
.process-inject.execute block |
|
.stage.beacon_gate block |
|
A |
Functions
|
Converts value to it's STRING Token value |
|
Convert a STRING Token value to it's native Python bytes value. |
|
Entrypoint for c2profile-dump. |
Module Contents
- dissect.cobaltstrike.c2profile.value_to_string(value: str | bytes) str [source]
Converts value to it’s STRING Token value
- dissect.cobaltstrike.c2profile.string_token_to_bytes(token: lark.Token) lark.Token | bytes [source]
Convert a STRING Token value to it’s native Python bytes value.
If the input is not of Token.type STRING it will return the original Token.
- class dissect.cobaltstrike.c2profile.StringIterator(string: str)[source]
Helper class for iterating over characters in a string
- class dissect.cobaltstrike.c2profile.ConfigBlock(**kwargs)[source]
Base class for configuration blocks
- class dissect.cobaltstrike.c2profile.HttpOptionsBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-{stager,get,post}.{client,server} block
- class dissect.cobaltstrike.c2profile.DataTransformBlock(steps=None)[source]
Bases:
ConfigBlock
data_transform block
- class dissect.cobaltstrike.c2profile.HttpStagerBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-stager block
- class dissect.cobaltstrike.c2profile.HttpConfigBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-config block
- class dissect.cobaltstrike.c2profile.StageBlock(**kwargs)[source]
Bases:
ConfigBlock
.stage block
- class dissect.cobaltstrike.c2profile.StageTransformBlock(**kwargs)[source]
Bases:
ConfigBlock
.stage.transform-x86 and .stage.transform-x64 block
- class dissect.cobaltstrike.c2profile.ProcessInjectBlock(**kwargs)[source]
Bases:
ConfigBlock
.process-inject block
- class dissect.cobaltstrike.c2profile.HttpGetBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-get block
- class dissect.cobaltstrike.c2profile.HttpPostBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-post block
- class dissect.cobaltstrike.c2profile.PostExBlock(**kwargs)[source]
Bases:
ConfigBlock
.post-ex block
- class dissect.cobaltstrike.c2profile.DnsBeaconBlock(**kwargs)[source]
Bases:
ConfigBlock
.dns-beacon block
- class dissect.cobaltstrike.c2profile.HttpBeaconBlock(**kwargs)[source]
Bases:
ConfigBlock
.http-beacon block
- class dissect.cobaltstrike.c2profile.ExecuteOptionsBlock(**kwargs)[source]
Bases:
ConfigBlock
.process-inject.execute block
- class dissect.cobaltstrike.c2profile.BeaconGateBlock(**kwargs)[source]
Bases:
ConfigBlock
.stage.beacon_gate block
- class dissect.cobaltstrike.c2profile.C2Profile(**kwargs)[source]
Bases:
ConfigBlock
A
C2Profile
object represents a parsed Malleable C2 ProfileBesides loading C2 Profiles, it also provides methods for building a C2 Profile from scratch.
- set_option(option, value)[source]
Sets a global option in the AST tree. E.g:
set_option("jitter", "6000")
- classmethod from_path(path: str | os.PathLike) C2Profile [source]
Construct a
C2Profile
from given path (path to a malleable C2 profile)
- classmethod from_text(source: str) C2Profile [source]
Construct a
C2Profile
from text (malleable C2 profile syntax)
- classmethod from_beacon_config(config: dissect.cobaltstrike.beacon.BeaconConfig) C2Profile [source]
Construct a
C2Profile
from aBeaconConfig