Skip to content

Instantly share code, notes, and snippets.

@usualsuspect
Created August 15, 2020 01:07
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save usualsuspect/d3451dfa25687190a5106afd549f0468 to your computer and use it in GitHub Desktop.
Parser for Cobalt Strike's Malleable C2 config item
#!/usr/bin/env python3
# Cobalt Strike Malleable C2 instruction parser
import struct
import sys
def read_int(f):
data = f.read(4)
if not data:
return None
return struct.unpack(">I",data)[0]
def parse(ins_item):
f = open(ins_item,"rb")
while True:
op = read_int(f)
if not op:
break
if op <= 8:
if op == 1:
l = read_int(f)
print("Remove %d chars at the end" % l)
elif op == 2:
l = read_int(f)
print("Remove %d chars from the beginning" % l)
elif op == 3:
print("Base64 decode")
else:
continue
elif op == 13:
print("Base64 URL-safe decode")
elif op == 8:
print("NetBIOS Encode 'a'")
elif op == 11:
print("NetBIOS Encode 'A'")
elif op == 15:
print("XOR mask w/ random key")
parse(sys.argv[1])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment