search

RedSiege / C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
GNU General Public License v3.0
1.01k stars 170 forks source link

4.3 DNS Beacon Options #5

Closed 2XXE-SRA closed 3 years ago

2XXE-SRA commented 3 years ago

Cobalt Strike 4.3 (https://blog.cobaltstrike.com/2021/03/03/cobalt-strike-4-3-command-and-control/) introduced, among other things, the "dns-beacon" block. The addition of this block breaks compatibility so profiles for previous versions are no longer valid for 4.3+.

As a half-measure, https://github.com/FortyNorthSecurity/C2concealer/blob/master/C2concealer/components/dnsoptions.py#L77-L80 should be changed to 

profileString = 'dns-beacon { \n'
for attr, value in self.__dict__.items():
    profileString += '\tset ' + attr + ' "' + value + '";\n'
profileString += '\n }\n'
return profileString

A more complete solution should probably also include the new subhost options.

2XXE-SRA commented 3 years ago

Looks like https://github.com/FortyNorthSecurity/C2concealer/pull/4/commits/04f2fc2f3a962251774774ccf268df1704b1c845 addresses the first part

ChrisTruncer commented 3 years ago

This should now be fixed with the latest merge from last week!