C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
git clone https://github.com/RedSiege/C2concealer.git
cd C2concealer
python3 -m venv .venv
source .venv/bin/activate
pip3 install -e .Refer to the Docker instructions
Usage:
$ C2concealer --hostname google.com --variant 3
Flags:
(optional)
--hostname
The hostname used in HTTP client and server side settings. Default is None.
--variant
An integer defining the number of HTTP client/server variants to generate.
Recommend between 1 and 5. Max 10.root@kali:~# C2concealer --variant 1 --hostname google.com
[i] Searching for the c2lint tool on your system (part of Cobalt Strike). Might take 10-20 seconds.
[i] Found c2lint in the /opt/cobaltstrike/c2lint directory.
Choose an SSL option:
1. Self-signed SSL cert (just input a few details)
2. LetsEncrypt SSL cert (requies a temporary A record for the relevant domain to be pointed to this machine)
3. Existing keystore
4. No SSL
[?] Option [1/2/3/4]:Tip: Always use an SSL certificate. Preferably a cert from LetsEncrypt or similar. Tip: HTTP Variants allow you to select different IOCs for http traffic on different beacons. Recommend a value of at least 1.
We pored over the Cobalt Strike documentation and defined ranges of values that would make sense for each profile attribute. Sometimes that data is as simple as a random integer within some range and other times we need to pick a random value from a Python dictionary. Either way, we started tool creation with defining the data that would make a valid profile.
Then we divided each malleable profile section (or block) into a separate .py file, which contains the logic to draw random appropriate values for each attribute and then output a formatted string for that profile block. We concatenate all profile blocks together, run a few quick consistency checks and then run the profile through the Cobalt Strike linter (c2lint). The output is a profile that should work for your engagements. We always recommend testing the profile (including process injection and spawning) prior to running a campaign.
If you're looking into the code, we recommend starting with these two files: /C2concealer/__main__.py and /C2concealer/profile.py. After reviewing the comments, check out individual profile block generators in the folder: /C2concealer/components.
This is crucial. This is an open source tool. Vendors can easily write signatures for the profiles it generates. While running the tool provides an excellent start for building a Cobalt Strike malleable profile, we recommend digging into the following areas to customize the data that is used to populate generated profiles:
/C2concealer/data/
- dns.py (customize the dns subdomains)
- file_type_prepend.py (customize how http-get-server responses look ... aka c2 control instructions)
- params.py (two dictionaries containing common parameter names and a generic wordlist)
- post_ex.py (spawn_to process list... definitely change this one)
- reg_headers.py (typical http headers like user-agent and server)
- smb.py (smb pipe names for use when comms go over smb)
- ssh.py (ssh pipe and banner names when using SSH beacons)
- stage.py (data for changing IOCs related to the stager)
- transform.py (payload data transformations...no need to change this)
- urls.py (filetypes and url path components used for building URIs all across the tool... definitely change this)
In addition, you can customize various attributes all throughout the profile generation process. As an example, in the file: /C2concealer/components/stageblock.py, you can change the range from which PE image size value is drawn from (near lines 73-74). Please look through all the different files in the components directory.
If you've made it this far, then we know you'll get a lot of use out of this tool. The way we recommend viewing this tool is that we've built the skeleton code to automatically generate these profiles. Now it's up to you to think through what values make sense for each attribute for your campaigns and update the data sources.
While we've covered a lot of possible options for the Malleable C2 profile language, there are many options we do not set. We highly encourage you to consult the Malleable Command and Control documentation and modify your profile.
The following options are not set, or are set statically by C2concealer and you should consider changing them.
| Missing Option | Notes |
|---|---|
set block_useragents |
Block non-beacon UA patterns |
set allow_useragents |
Allowlist UA patterns (CS 4.3+) |
| Missing Option | Notes |
|---|---|
set allocator |
Hardcoded VirtualAlloc; missing HeapAlloc, MapViewOfFile randomization |
set magic_mz_x86 / magic_mz_x64 |
MZ header spoofing |
set magic_pe |
PE marker spoofing |
set rich_header |
Compiler metadata spoofing |
set module_x86 / module_x64 |
Module stomping |
set copy_pe_header |
— |
set data_store_size |
— |
set eaf_bypass |
EAT check bypass |
set syscall_method |
None/Direct/Indirect (CS 4.8+) |
set rdll_loader |
PrependLoader/StompLoader |
set rdll_use_syscalls |
— |
set rdll_use_driploading |
— |
set rdll_dripload_delay |
— |
transform-obfuscate block |
base64, lznt1, rc4, xor options entirely absent |
append in transform-x86/x64 |
Only prepend and strrep are used |
| Missing Option | Notes |
|---|---|
set allocator |
Hardcoded VirtualAllocEx; missing NtMapViewOfSection randomization |
set use_driploading |
— |
set dripload_delay |
— |
append in transform-x86/x64 |
Only prepend used |
Execute: NtQueueApcThread |
Not in execute block |
Execute: NtQueueApcThread-s |
Not in execute block |
Execute: ObfSetThreadContext |
Not in execute block |
Execute: SetThreadContext |
Not in execute block |
| Execute function spoofing | module!function+0x## syntax not supported |
| Missing Option | Notes |
|---|---|
set pipename |
Named pipe for post-ex jobs |
| Missing Option | Notes |
|---|---|
set ns_response |
drop/idle/zero NS handling. Defaults to drop if not set. |
set dns_stager_prepend |
Prepend data to staged payloads |
| Missing Transform | Notes |
|---|---|
lznt1 |
Compression — not in any encode chain |
rc4 "key" |
Encryption — not in any encode chain |
xor "key" |
XOR — not in any encode chain |
uri-append |
Termination statement — not implemented |
Big shoutout to Raphael Mudge for constantly improving on the malleable profile feature set and the documentation to learn about it. Also, huge thanks to @killswitch-GUI for his script that automates LetsEncrypt cert generation for CS team servers. Finally, two blog posts that made life so much easier: @bluescreenofjeff's post (https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/) and Joe Vest's post (https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b).
Version 1.0
- Public version of FortyNorth Security's internal tool.
- Added support for CS 4.0 (specifically multiple HTTP variants)
- Updated README.md
Version 1.1
- Updated to include profile options supported by CS 4.12
- Updated browser UA strings
- Updated cookie strings to modern commonly-observed cookies
- Added SSH banner and SSH pipename options
- Updated Docker installation guidance
- Fixed Let's Encrypt support