Parser for Cobalt Strike's Malleable C2 config item
#!/usr/bin/env python3 | |
# Cobalt Strike Malleable C2 instruction parser | |
import struct | |
import sys | |
def read_int(f): | |
data = f.read(4) | |
if not data: | |
return None | |
return struct.unpack(">I",data)[0] | |
def parse(ins_item): | |
f = open(ins_item,"rb") | |
while True: | |
op = read_int(f) | |
if not op: | |
break | |
if op <= 8: | |
if op == 1: | |
l = read_int(f) | |
print("Remove %d chars at the end" % l) | |
elif op == 2: | |
l = read_int(f) | |
print("Remove %d chars from the beginning" % l) | |
elif op == 3: | |
print("Base64 decode") | |
else: | |
continue | |
elif op == 13: | |
print("Base64 URL-safe decode") | |
elif op == 8: | |
print("NetBIOS Encode 'a'") | |
elif op == 11: | |
print("NetBIOS Encode 'A'") | |
elif op == 15: | |
print("XOR mask w/ random key") | |
parse(sys.argv[1]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment