Convert Cobalt Strike profiles to Apache mod_rewrite .htaccess files to support HTTP C2 Redirection

This was heavily based on the work by Jeff Dimmock @bluescreenofjeff (Jeff, thanks for all your great work !!!)

Creating a Cobalt Strike mod_rewrite .htacces file is easy, but I’m lazy and wanted to write a quick script to parse a Cobalt Strike file and generate the .htaccess file.

This is a quick script that converts a Cobalt Strike profile to a base mod_rewrite .htaccess file to support HTTP redirection with Cobalt Strike

This script can be found at

You should tune and test before use, but it does help get the script started.

Quick Start

  1. Run the script against a profile
  2. Save the output to .htaccess
  3. Modify as needed
  4. Use script with your Apache redirector


usage: [-h] [-i INPUTFILE] [-c C2SERVER] [-d DESTINATION]

Converts Cobalt Strike profiles to Apache mod_rewrite .htaccess file format

optional arguments:
  -h, --help      show this help message and exit
  -i INPUTFILE    C2 Profile file
  -c C2SERVER     C2 Server (http://teamserver)
  -d DESTINATION  Redirect to this URL (


python -i havex.profile -c -d

#### SAVE THE FOLLOWING AS .htaccess ####

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(/include/template/isx.php|/wp06/wp-includes/po.php|/wp08/wp-includes/dtcla.php|/modules/mod_search.php|/blog/wp-includes/pomo/src.php|/includes/phpmailer/class.pop3.php)/?$
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ (Windows;\ U;\ MSIE\ 7\.0;\ Windows\ NT\ 5\.2)\ Java/1\.5\.0_08)?$
RewriteRule ^.*${REQUEST_URI} [P]
RewriteRule ^.*$ [L,R=302]


Refer to the bluescreenofjeff blog post for more details

Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite


Author Joe Vest

Joe Vest has worked in the information technology industry for over 17 years with a focus on red teaming, penetration testing and application security. Joe is an author of the SANS Red Team Operations and Threat Emulation course (SEC-564). As a former technical lead for a DoD red team, he has extensive knowledge of cyber threats and their tools, tactics and techniques, including threat emulation and threat detection. Joe is the co-founder of the security consulting company MINIS LLC, providing innovative solutions for the mitigation against an ever-changing cyber threat. As a leading security professional, he has achieved numerous security certifications: OSCP, CISSP-ISSMP, CISA, GPEN, GCIH, GWAPT, CEH, Security+

More posts by Joe Vest