Customizing C2Concealer – Part 1
By Red Siege | July 12, 2021
In the GitHub Readme page and the initial blog post, we included some information on how to modify C2Concealer to change the default values used to build the malleable profiles. However, while teaching our Red Team Tactics: Tooling, Evasion and Strategy course recently, several students asked for a blog post detailing how to customize the tool. So, here it is.
In Part I (this post), we’ll discuss customizing the data lists.
In Part II, we’ll look at additional places within C2Concealer to customize.
Description: These are the subdomains that are used for DNS-based beacon activities. There are two python lists in this file, “subdomains” and “normal_subdomains”.
Ideas for New Values: You could change these to any common-looking subdomain. The easiest change is to grab a chunk of subdomains from a massive DNS wordlist like from SecLists and just throw some of them into those two python dictionaries.
Ideas for New Values: Open up Burp. Proxy some traffic from commonly visited sites that would fit your target environment. For example, the target company’s home page or Google or CNN. Review some of the HTML, CSS and JS resources that are loaded. Grab the first ten lines and swap them in for the existing values in the Python lists.
A couple important notes:
Description: This file has two Python lists “common_params” and “words”.
Ideas for New Values: This SecLists file is a good start for some common parameter values. The wordlist can be built using anything you’d like, common words in your language of choice, randomly generated tech-y words, or run CeWL against a few websites.
Description: This is a small Python list containing a list of processes which we will use in fork+run operations. Meaning, we’ll spawn these processes, conduct our post-exploitation jobs in them and then tear them down.
The code driving the usage of this list, looks like this.
spawn_processes = ['runonce.exe','svchost.exe','regsvr32.exe','WUAUCLT.exe']process = str(random.choice(spawn_processes))spawnto_x86 = "%windir%\\\\syswow64\\\\" + processspawnto_x64 = "%windir%\\\\sysnative\\\\" + process
Ideas for New Values: You can add a whole bunch of different processes in here, but a few things to keep in mind:
Description: There are multiple python lists in this file, but they’re all straightforward and related to HTTP request or response headers.
All of these values are just window dressing, meaning we’re just trying to blend into normal HTTP traffic for our beacon communications. None of them actually impact anything in our operations. As a result, we can change them to any acceptable value.
Ideas for New Values: First, here is a good page on Wikipedia detailing a bunch of different header values. Second, here are some resources for each list:
Description: This file contains one Python dictionary consisting of SMB pipenames, which are used for SMB Beacon’s peer-to-peer communication. You’ll notice each dictionary element is a string with a word and underscore and two hashtag signs. Ex: word_##. When Cobalt Strike grabs these values, each # is replaced with a random hex value.
Ideas for New Values: We’d suggest coming up with some tech sounding words and then just creating a small list, like “sorting_##”, “binomial_##”, “rev_##”. You could also list all named pipes currently in use on your system with the following PowerShell command and attempt to use those in your list. Just remember to add in “_##” after whatever word is included.
Description: There are two Python lists in here related to staging.
Ideas for New Values: Get creative and come up with some additional strings for replacing “ReflectiveLoader” in the beacon DLL. Keep the length to the same length as “ReflectiveLoader”…don’t go over 16 characters. If you wan to add to the “binary_types” list, also edit the consistencyCheck function in the profile.py file, and include an extra elif statement(s) to append the relevant file type to the stager URL.
Description: A Python list of data transformation functions. This is largely set by Cobalt Strike, so unless they update the documentation with additional functions, you can skip this.
Ideas for New Values: n/a
Description: This Python file contains 3 lists of
Ideas for New Values:
That’s all for this post. In Part II (coming soon), we’ll look at customizing values in the functions that build the malleable profiles. This first post is the easiest and quickest impact. The second post will require more patience to customize, as well as more consideration for appropriate values, but both types of customization are what we use internally on our private version.
Related StoriesView More
By Red Siege | September 22, 2023
from Jason Downey, Security Consultant In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more […]Learn More
By Red Siege | August 22, 2023
by Jason Downey, Security Consultant The Basics Password cracking is a key tool in every penetration tester’s toolbox and is something blue teamers should do on a regular basis […]Learn More
By Red Siege | July 31, 2023
by Mike Saunders, Principal Security Consultant In a recent blog , we discussed how encrypting shellcode leads to increased entropy, which may result in your shellcode loader being blocked and/or […]Learn More