error

[ChenZIDu]

[CodeXTF2]

can you run this profile through c2lint? it looks like your profile might be too large

[ChenZIDu]

Thank you, the modified c2lint can pass. But the Trojan generated by default cannot go online with C2.

[CodeXTF2]

thats doesnt tell me much. can you provide more details? can you test with default malleable profiles? post the profile you generated?

[ChenZIDu]

Found a problem, if the request is a post request, the default generated profile, http-get set verb "post"

[ChenZIDu]

Also, can you add some regular C2 evasion monitoring, such as set sleep_mask "true";

[CodeXTF2]

I could, but thats outside the scope of this tool. This tool is meant to make it easier to craft custom malleable profiles based on existing traffic. The cobalt strike docs should be referenced for other options since there is more depth to them and their use cases/opsec implications imo.

[ChenZIDu]

Recently, I am learning the operation of cobalt strike profiles. Are there any articles that recommend me to learn? I will thank you very much.

[CodeXTF2]

Yes, the Fortra Malleable PE docs: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_main.htm should help for the other malleable options such as sleep mask etc.

[ChenZIDu]

Ok, at present, I have written a successful profile according to your tool. The problem of http-get set verb "post" does exist, you can fix it ASAP.

[CodeXTF2]

Im not too sure what you mean, can you give me the steps to reproduce this? Last I checked it was working with POST requests :P

[ChenZIDu]

It will generate "http-get", where the configuration defaults to" set verb 'POST';"

[ChenZIDu]

[CodeXTF2]

hi sorry for the late reply, was busy. But I dont believe this is an issue. http-get does not imply HTTP GET requests, as per the Malleable C2 spec.

https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2_beacon-http-transaction-walkthru.htm#_Toc65482844

This block looks correct. It is telling beacon to use HTTP POST requests to do the GET operation over HTTP, which sends beacon's session metadata and retrieves beacons taskings. Do correct me if im misunderstanding.