Home

Awesome

goMalleable

PkgGoDev License: MIT Go Report Card Test CodeQL

🔎🪲 Malleable C2 profiles parser and assembler library written in golang

Latest supported CobaltStrike version: 4.9.1

Table of Contents

  1. WARNING
  2. Installation
  3. Usage
    1. Parse
    2. Assembly
  4. Examples
  5. TODO

WARNING

goMalleable treats you as a consenting adult and assumes you know how to write Malleable C2 Profiles. It's able to detect syntax errors, however there are no runtime checks implemented. It'll gladly generate profiles that don't actually work in production if instructed to do so. Always run the generated profiles through c2lint before using them in production!

Installation

Package can be installed with:

go get github.com/D00Movenok/goMalleable@v1

Usage

Parse

Function Parse parses Malleable profile string to easy-to-read structure. Full example Link.

package main

import (
    "os"
    malleable "github.com/D00Movenok/goMalleable"
)

func main() {
    ...
    data, _ := os.Open("example.profile")
    parsed, _ := malleable.Parse(data)
    ...
}

Full definition of structure can be found here.

Assembly

You may print this structure as string to get Malleable profile file. Full example: Link.

fmt.Println(parsed)

Output:

...

set host_stage "false";
set jitter "33";
set tcp_frame_header "";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";

https-certificate {
    set CN "whatever.com";
    set L "California";
    set O "whatever LLC.";
    set OU "local.org";
    set ST "CA";
    set validity "365";
    set C "US";
}

...

Examples

LinkDescription
LinkExample of profile parsing
LinkExample of profile creation

TODO