C2Profile grammar
dissect.cobaltstrike utilizes the Lark parser for parsing and generating Cobalt Strike Malleable C2 Profiles.
The Lark grammar file to parse the Profile Language is defined in c2profile.lark and listed below for reference.
Note
Currently, the grammar implementation is pretty naive and could be improved upon. For example, the values are all STRING but could benefit from other types as well.
start: value*
?value: "set" OPTION string ";" -> option
| "http-config" "{" http_config_options* "}" -> http_config
| "https-certificate" variant? "{" https_certificate_options* "}" -> https_certificate
| "code-signer" "{" code_signer_options* "}" -> code_signer
| "http-stager" variant? "{" http_stager_options* "}" -> http_stager
| "http-get" variant? "{" http_get_options* "}" -> http_get
| "http-post" variant? "{" http_post_options* "}" -> http_post
| "stage" "{" stage_options* "}" -> stage
| "process-inject" "{" process_inject_options* "}" -> process_inject
| "post-ex" "{" postex_options* "}" -> post_ex
| "dns-beacon" "{" dns_beacon_options* "}" -> dns_beacon
| "http-beacon" "{" http_beacon_options* "}" -> http_beacon
OPTION: "sample_name"
| "data_jitter"
| "dns_idle"
| "dns_max_txt"
| "dns_sleep"
| "dns_stager_prepend"
| "dns_stager_subhost"
| "dns_ttl"
| "host_stage"
| "jitter"
| "maxdns"
| "pipename"
| "pipename_stager"
| "sleeptime"
| "smb_frame_header"
| "ssh_banner"
| "ssh_pipename"
| "tcp_frame_header"
| "tcp_port"
| "useragent"
| "spawnto" // deprecated since Cobalt Strike 3.6
| "spawnto_x86" // moved to post-ex since Cobalt Strike 3.14
| "spawnto_x64" // moved to post-ex since Cobalt Strike 3.14
| "amsi_disable" // moved to post-ex since Cobalt Strike 3.14
| "create_remote_thread" // deprecated since Cobalt Strike 3.12
| "hijack_remote_thread" // deprecated since Cobalt Strike 3.12
| "tasks_max_size" // introduced in Cobalt Strike 4.6
| "tasks_proxy_max_size" // introduced in Cobalt Strike 4.6
| "tasks_dns_proxy_max_size"// introduced in Cobalt Strike 4.6
http_config_options: "set" "headers" string ";" -> headers
| "header" string string ";" -> header
| "set" "trust_x_forwarded_for" string ";" -> trust_x_forwarded_for
| "set" "block_useragents" string ";" -> block_useragents
| "set" "allow_useragents" string ";" -> allow_useragents
http_stager_options: "set" "uri_x86" string ";" -> uri_x86
| "set" "uri_x64" string ";" -> uri_x64
| "client" "{" http_options* "}" -> client
| "server" "{" http_options* "}" -> server
http_options: "header" string string ";" -> header
| "parameter" string string ";" -> parameter
| "output" "{" data_transform* "}" -> output
data_transform: steps termination
steps: transform_statement*
termination: termination_statement ~ 1
transform_statement: "append" string ";" -> append
| "base64" ";" -> base64
| "base64url" ";" -> base64url
| "mask" ";" -> mask
| "netbios" ";" -> netbios
| "netbiosu" ";" -> netbiosu
| "prepend" string ";" -> prepend
termination_statement: "header" string ";" -> header
| "parameter" string ";" -> parameter
| "print" ";" -> print
| "uri-append" ";" -> uri_append
stage_transform: "prepend" string ";" -> prepend
| "append" string ";" -> append
| "strrep" string string ";" -> strrep
http_get_options: "set" "uri" string ";" -> uri
| "set" "verb" string ";" -> verb
| "client" "{" http_get_client_options* "}" -> client
| "server" "{" http_options* "}" -> server
http_get_client_options: "header" string string ";" -> header
| "set" "verb" string ";" -> verb
| "metadata" "{" data_transform* "}" -> metadata
| "id" "{" data_transform* "}" -> id
| "parameter" string string ";" -> parameter
| "output" "{" data_transform* "}" -> output
http_post_options: "set" "uri" string ";" -> uri
| "set" "verb" string ";" -> verb
| "client" "{" http_get_client_options* "}" -> client
| "server" "{" http_options* "}" -> server
https_certificate_options: "set" "C" string ";" -> country
| "set" "CN" string ";" -> common_name
| "set" "L" string ";" -> locality
| "set" "OU" string ";" -> org_unit
| "set" "O" string ";" -> org
| "set" "ST" string ";" -> state
| "set" "validity" string ";" -> validity
| "set" "keystore" string ";" -> keystore
| "set" "password" string ";" -> password
code_signer_options: "set" "keystore" string ";" -> keystore
| "set" "password" string ";" -> password
| "set" "alias" string ";" -> alias
| "set" "digest_algorithm" string ";" -> digest_algorithm
| "set" "timestamp" string ";" -> timestamp
| "set" "timestamp_url" string ";" -> timestamp_url
stage_options: "string" string ";" -> string
| "stringw" string ";" -> stringw
| "transform-x86" "{" stage_transform* "}" -> transform_x86
| "transform-x64" "{" stage_transform* "}" -> transform_x64
| "set" "allocator" string ";" -> allocator
| "set" "cleanup" string ";" -> cleanup
| "set" "magic_pe" string ";" -> magic_pe
| "set" "magic_mz_x86" string ";" -> magic_mz_x86
| "set" "magic_mz_x64" string ";" -> magic_mz_x64
| "set" "obfuscate" string ";" -> obfuscate
| "set" "sleep_mask" string ";" -> sleep_mask
| "set" "smartinject" string ";" -> smartinject
| "set" "stomppe" string ";" -> stomppe
| "set" "userwx" string ";" -> userwx
| "set" "compile_time" string ";" -> compile_time
| "set" "entry_point" string ";" -> entry_point
| "set" "module_x86" string ";" -> module_x86
| "set" "module_x64" string ";" -> module_x86
| "set" "image_size_x86" string ";" -> image_size_x86
| "set" "image_size_x64" string ";" -> image_size_x64
| "set" "name" string ";" -> name
| "set" "rich_header" string ";" -> rich_header
| "set" "checksum" string ";" -> checksum
| "set" "syscall_method" string ";" -> syscall_method // introduced in Cobalt Strike 4.8
| "set" "data_store_size" string ";" -> data_store_size // introduced in Cobalt Strike 4.9
| "beacon_gate" "{" beacon_gate_options* "}" -> beacon_gate // introduced in Cobalt Strike 4.10
process_inject_options: "set" "allocator" string ";" -> allocator
| "set" "min_alloc" string ";" -> min_alloc
| "set" "startrwx" string ";" -> startrwx
| "set" "userwx" string ";" -> userwx
| "transform-x86" "{" stage_transform* "}" -> transform_x86
| "transform-x64" "{" stage_transform* "}" -> transform_x64
| "execute" "{" execute_options* "}" -> execute
| "disable" string ";" -> disable
| "set" "bof_allocator" string ";" -> bof_allocator // introduced in Cobalt Strike 4.7
| "set" "bof_reuse_memory" string ";" -> bof_reuse_memory // introduced in Cobalt Strike 4.7
execute_options: "CreateThread" string ";" -> createthread_special
| "CreateRemoteThread" string ";" -> createremotethread_special
| "CreateThread" ";" -> createthread
| "CreateRemoteThread" ";" -> createremotethread
| "NtQueueApcThread" ";" -> ntqueueapcthread
| "NtQueueApcThread-s" ";" -> ntqueueapcthread_s
| "RtlCreateUserThread" ";" -> rtlcreateuserthread
| "SetThreadContext" ";" -> setthreadcontext
beacon_gate_options: "None" ";" -> none
| "Comms" ";" -> comms
| "Core" ";" -> core
| "Cleanup" ";" -> cleanup
| "All" ";" -> all
| "InternetOpenA" ";" -> internetopena
| "InternetConnectA" ";" -> internetconnecta
| "VirtualAlloc" ";" -> virtualalloc
| "VirtualAllocEx" ";" -> virtualallocex
| "VirtualProtect" ";" -> virtualprotect
| "VirtualProtectEx" ";" -> virtualprotextex
| "VirtualFree" ";" -> virtualfree
| "GetThreadContext" ";" -> getthreadcontext
| "SetThreadContext" ";" -> setthreadcontext
| "ResumeThread" ";" -> resumethread
| "CreateThread" ";" -> createthread
| "CreateRemoteThread" ";" -> createremotethread
| "OpenProcess" ";" -> openprocess
| "OpenThread" ";" -> openthread
| "CloseHandle" ";" -> closehandle
| "CreateFileMappingA" ";" -> createfilemappinga
| "MapViewOfFile" ";" -> mapviewoffile
| "UnmapViewOfFile" ";" -> unmapviewoffile
| "VirtualQuery" ";" -> virtualquery
| "DuplicateHandle" ";" -> duplicatehandle
| "ReadProcessMemory" ";" -> readprocessmemory
| "WriteProcessMemory" ";" -> writeprocessmemory
| "ExitThread" ";" -> exitthread
postex_options: "set" "spawnto_x86" string ";" -> spawnto_x86
| "set" "spawnto_x64" string ";" -> spawnto_x64
| "set" "obfuscate" string ";" -> obfuscate
| "set" "pipename" string ";" -> pipename
| "set" "smartinject" string ";" -> smartinject
| "set" "amsi_disable" string ";" -> amsi_disable
| "set" "keylogger" string ";" -> keylogger
| "set" "thread_hint" string ";" -> thread_hint
dns_beacon_options: "set" "dns_idle" string ";" -> dns_idle
| "set" "dns_max_txt" string ";" -> dns_max_txt
| "set" "dns_sleep" string ";" -> dns_sleep
| "set" "dns_ttl" string ";" -> dns_ttl
| "set" "maxdns" string ";" -> maxdns
| "set" "dns_stager_prepend" string ";" -> dns_stager_prepend
| "set" "dns_stager_subhost" string ";" -> dns_stager_subhost
| "set" "beacon" string ";" -> beacon
| "set" "get_A" string ";" -> get_a
| "set" "get_AAAA" string ";" -> get_aaaa
| "set" "get_TXT" string ";" -> get_txt
| "set" "put_metadata" string ";" -> put_metadata
| "set" "put_output" string ";" -> put_output
| "set" "ns_response" string ";" -> ns_response
| "#" "dns_resolver" string ";" -> comment_dns_resolver
http_beacon_options: "set" "library" string ";" -> library // introduced in Cobalt Strike 4.9
| "set" "data_required" string ";" -> data_required // introduced in Cobalt Strike 4.10
| "set" "data_required_length" string ";" -> data_required_length // introduced in Cobalt Strike 4.10
header: string
string: STRING
variant: string
STRING: "\"" /(.|\n)*?/ /(?<!\\)(\\\\)*?/ "\""
%import common.WS
%import common.SH_COMMENT
%import common.NEWLINE
%ignore WS
%ignore SH_COMMENT
%ignore NEWLINE