analyzing-cobalt-strike-malleable-profiles
SKILL.md
Analyzing Cobalt Strike Malleable Profiles
Instructions
Parse malleable C2 profiles to extract IOCs and detection opportunities using the pyMalleableC2 library. Combine with JARM fingerprinting to identify C2 servers.
from malleablec2 import Profile
# Parse a malleable profile from file
profile = Profile.from_file("amazon.profile")
# Extract global options (sleep, jitter, user-agent)
print(profile.ast.pretty())
# Access HTTP-GET block URIs and headers for network signatures
# Access HTTP-POST block for data exfiltration patterns
# Generate JARM fingerprints for known C2 infrastructure
Key analysis steps:
- Parse the malleable profile to extract HTTP-GET/POST URI patterns
- Extract User-Agent strings and custom headers for IDS signatures
- Identify sleep time and jitter for beaconing detection thresholds
- Scan suspect IPs with JARM to match known C2 fingerprint hashes
- Cross-reference extracted IOCs with network traffic logs
Examples
# Parse profile and extract detection indicators
from malleablec2 import Profile
p = Profile.from_file("cobaltstrike.profile")
print(p) # Reconstructed source
# JARM scan a suspect C2 server
import subprocess
result = subprocess.run(
["python3", "jarm.py", "suspect-server.com"],
capture_output=True, text=True
)
print(result.stdout)
# Compare fingerprint against known CS JARM hashes
Weekly Installs
9
Repository
mukul975/anthro…y-skillsGitHub Stars
2.4K
First Seen
3 days ago
Security Audits
Installed on
cursor9
gemini-cli9
amp9
cline9
github-copilot9
codex9