Home

Awesome

<p align="center"> <img src="https://user-images.githubusercontent.com/5151193/110083243-b3f30700-7d4b-11eb-8b69-28116e5ea1c9.png" alt="pyMalleableC2" height=300 width=500/> </p>

pyMalleableC2

A Python interpreter for Cobalt Strike Malleable C2 profiles that allows you to parse, modify, build them programmatically and validate syntax.

Supports all of the Cobalt Strike Malleable C2 Profile grammar starting from Cobalt Strike version 4.3.

It's not backwards compatible with previous Cobalt Strike releases.

What are the differences between pyMalleableC2 and other projects of this nature?

  1. Parses profiles with Lark using eBNF notation. This approach is a lot more robust then user defined regexes, templating engines or similar methods.
  2. Turns profiles into an Abstract Syntax Tree (AST) which can then be reconstructed back into source code.
  3. Because of the above, pyMalleableC2 allows you to build profiles programmatically or modify them on the fly.
  4. Allows you to validate the syntax of Malleable C2 profiles (Does not perform runtime checks, see the warning below.)
  5. It has AI in the form of a lot of if statements.

Table of Contents

Installing

pyMalleableC2 was built using Python 3.9, however it should be backwards compatible up to Python 3.6.

Install using Pip:

🚨 WARNING 🚨

pyMalleableC2 treats you as a consenting adult and assumes you know how to write Malleable C2 Profiles. It's able to detect syntax errors, however there are no runtime checks implemented. It'll gladly generate profiles that don't actually work in production if instructed to do so. Always run the generated profiles through c2lint before using them in production!

(Technically you could build a Python version of c2lint using this library, *cough* PRs welcome *cough*)

Author

The primary author of pyMalleableC2 is Marcello Salvati

Twitter: @byt3bl33d3r, Github: @byt3bl33d3r

Examples

(See the examples folder for more)

Generate the AST for a Malleable C2 Profile located in a file, then reconstruct the source code from the AST:

from malleablec2 import Profile

# Parse a profile given its path
p = Profile.from_file("amazon.profile")

# Print the generated AST
print(p.ast.pretty())

# Reconstruct source code from the AST and print to console
print(p.reconstruct())

# Shortcut for the above :)
print(p)

Generate the AST for an 'inline' Malleable C2 Profile then reconstruct the source code from the AST:

code = '''
set jitter "0";
set sleeptime "3000";

http-get {
    set uri "/wow/this/is/cool";
}

http-post {
    set uri "/pymalleablec2/is/the/shit";
}
'''

# Parse a profile from a string
p = Profile.from_string(code)

# Print the generated AST
print(p.ast.pretty())

# Reconstruct source code from the AST and print to console
print(p)

Build a Malleable C2 profile programmatically from scratch:

from malleablec2 import Profile
from malleablec2.components import *

# Create an empty profile
p = Profile.from_scratch()

# Set some global options
p.set_option("sleeptime", "0")
p.set_option("jitter", "0")
p.set_option("pipename", "mojo__##")

# Create an http-get block
http_get = HttpGetBlock()
# Set the uri http-get option
http_get.set_option("uri", "/wat/a/tease")

# Create a client block
client = ClientBlock()
# Add a header statement to the client block
client.add_statement("header", "Accept", "*/*")

# Create a server block
server = ServerBlock()

# Add the client and server blocks to the http-get block
http_get.add_code_block(client)
http_get.add_code_block(server)

# Create a http-post block
http_post = HttpPostBlock()
# Set the uri http-post option
http_post.set_option("uri", "/wat/ucraycray")

# Add the http-get and http-post blocks to the profile
p.add_code_block(http_get)
p.add_code_block(http_post)

# Reconstruct source code from the generated AST and print to console
print(p)

Super simple example showing how to programmatically randomize a Malleable C2 Profile:

from malleablec2 import Profile
from malleablec2.randomizer import ProfileRandomizer
from lark import Token

class MyRandomizer(ProfileRandomizer):

    # We implement the global_option_set method which will get called on every parsed global option statement in the profile
    def global_option_set(self, tree):
        option_name = tree.children[0]

        if option_name == "pipename":
            # "Randomize" the pipename value
            tree.children[1].children[0] = Token('ESCAPED_STRING', '"my_random_pipename_##"')

# Parse a profile given its path
p = Profile.from_file("amazon.profile")

r = MyRandomizer()

# Walk through the generated profile AST and apply randomization rules
r.randomize(p)

# Reconstruct source code then output the profile to the console
print(p)