Skip to content

🔎🪲 Malleable C2 profiles parser and assembler written in golang

License

Notifications You must be signed in to change notification settings

D00Movenok/goMalleable

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

goMalleable

PkgGoDev License: MIT Go Report Card Test CodeQL

🔎🪲 Malleable C2 profiles parser and assembler library written in golang

Latest supported CobaltStrike version: 4.9.1

Table of Contents

  1. WARNING
  2. Installation
  3. Usage
    1. Parse
    2. Assembly
  4. Examples
  5. TODO

WARNING

goMalleable treats you as a consenting adult and assumes you know how to write Malleable C2 Profiles. It's able to detect syntax errors, however there are no runtime checks implemented. It'll gladly generate profiles that don't actually work in production if instructed to do so. Always run the generated profiles through c2lint before using them in production!

Installation

Package can be installed with:

go get github.com/D00Movenok/goMalleable@v1

Usage

Parse

Function Parse parses Malleable profile string to easy-to-read structure. Full example Link.

package main

import (
    "os"
    malleable "github.com/D00Movenok/goMalleable"
)

func main() {
    ...
    data, _ := os.Open("example.profile")
    parsed, _ := malleable.Parse(data)
    ...
}

Full definition of structure can be found here.

Assembly

You may print this structure as string to get Malleable profile file. Full example: Link.

fmt.Println(parsed)

Output:

...

set host_stage "false";
set jitter "33";
set tcp_frame_header "";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";

https-certificate {
    set CN "whatever.com";
    set L "California";
    set O "whatever LLC.";
    set OU "local.org";
    set ST "CA";
    set validity "365";
    set C "US";
}

...

Examples

Link Description
Link Example of profile parsing
Link Example of profile creation

TODO

  • Use map[Name]Type instead of []Type with Name field