Converting Cobalt Strike profiles to Apache mod_rewrite .htaccess files to support HTTP C2 Redirection

This was heavily based on the work by Jeff Dimmock @bluescreenofjeff (Jeff, thanks for all your great work !!!)

Creating a Cobalt Strike mod_rewrite .htacces file is easy, but I’m lazy and wanted to write a quick script to parse a Cobalt Strike file and generate the .htaccess file.

This is a quick script that converts a Cobalt Strike profile to a base mod_rewrite .htaccess file to support HTTP redirection with Cobalt Strike

This script can be found at

https://github.com/minisllc/cs_to_modrewrite

You should tune and test before use, but it does help get the script started.

Quick Start

  1. Run the script against a profile
  2. Save the output to .htaccess
  3. Modify as needed
  4. Use script with your Apache redirector

Usage


usage: csToModrewrite.py [-h] [-i INPUTFILE] [-c C2SERVER] [-d DESTINATION]

Converts Cobalt Strike profiles to Apache mod_rewrite .htaccess file format

optional arguments:
  -h, --help      show this help message and exit
  -i INPUTFILE    C2 Profile file
  -c C2SERVER     C2 Server (http://teamserver)
  -d DESTINATION  Redirect to this URL (http:google.com)

Example


python csToModrewrite.py -i havex.profile -c http://myteamserver.com -d http://google.com

#### SAVE THE FOLLOWING AS .htaccess ####

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(/include/template/isx.php|/wp06/wp-includes/po.php|/wp08/wp-includes/dtcla.php|/modules/mod_search.php|/blog/wp-includes/pomo/src.php|/includes/phpmailer/class.pop3.php)/?$
RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ (Windows;\ U;\ MSIE\ 7\.0;\ Windows\ NT\ 5\.2)\ Java/1\.5\.0_08)?$
RewriteRule ^.*$ http://myteamserver.com{REQUEST_URI} [P]
RewriteRule ^.*$ http://google.com/? [L,R=302]

References

Refer to the bluescreenofjeff blog post for more details

Cobalt Strike HTTP C2 Redirectors with Apache mod_rewrite

(https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/)

Author Joe Vest

Joe Vest has worked in the information technology industry for over 17 years with a focus on red teaming, penetration testing and application security. Joe is an author of the SANS Red Team Operations and Threat Emulation course (SEC-564). As a former technical lead for a DoD red team, he has extensive knowledge of cyber threats and their tools, tactics and techniques, including threat emulation and threat detection. Joe is the co-founder of the security consulting company MINIS LLC, providing innovative solutions for the mitigation against an ever-changing cyber threat. As a leading security professional, he has achieved numerous security certifications: OSCP, CISSP-ISSMP, CISA, GPEN, GCIH, GWAPT, CEH, Security+

More posts by Joe Vest