Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Parser for Cobalt Strike's Malleable C2 config item
#!/usr/bin/env python3
# Cobalt Strike Malleable C2 instruction parser
import struct
import sys
def read_int(f):
data = f.read(4)
if not data:
return None
return struct.unpack(">I",data)[0]
def parse(ins_item):
f = open(ins_item,"rb")
while True:
op = read_int(f)
if not op:
break
if op <= 8:
if op == 1:
l = read_int(f)
print("Remove %d chars at the end" % l)
elif op == 2:
l = read_int(f)
print("Remove %d chars from the beginning" % l)
elif op == 3:
print("Base64 decode")
else:
continue
elif op == 13:
print("Base64 URL-safe decode")
elif op == 8:
print("NetBIOS Encode 'a'")
elif op == 11:
print("NetBIOS Encode 'A'")
elif op == 15:
print("XOR mask w/ random key")
parse(sys.argv[1])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.