c2profile-dump

The command c2profile-dump can be used to parse and dump Malleable C2 profiles. The command is mainly useful for debugging the parsed AST tree. Using the library directly is more useful for extracting information using Python.

$ c2profile-dump /path/to/profile.c2

To load from a beacon and dump as properties:

$ c2profile-dump -b <beacon> -t properties

If the command is not in your path, you can also use run the command using the following Python module:

$ python -m dissect.cobaltstrike.c2profile --help

c2profile-dump - CLI interface

c2profile-dump [-h] [-b] [-a] [-t {pretty,ast,c2profile,properties}] [-v] FILE

c2profile-dump positional arguments

  • FILE - c2 profile or beacon to dump (default: None)

c2profile-dump options

  • -h, --help - show this help message and exit

  • -b, --beacon - input is a beacon instead of a .profile file

  • -a, --all - when using –beacon, try all xor keys when default ones fail

  • -t TYPE, --type TYPE - output format (default: pretty)

  • -v, --verbose - verbosity level (-v for INFO, -vv for DEBUG) (default: 0)