README
¶
caddy-c2
Caddy v2 module to match network traffic and only allow traffic based on C2 profiles. This module currently works with the following C2 frameworks:
- Cobalt Strike
- Empire - Uses the same profile as Cobalt Strike (docs)
Installation
You can build Caddy by yourself by installing xcaddy and running:
xcaddy build --with github.com/lum8rjack/caddy-c2
If you want to clone and make any changes, you can test locally with the following command:
# Specify the location of the local build
xcaddy build --with github.com/lum8rjack/caddy-c2=./caddy-c2
Caddyfile
Allow access to the C2 server for only requests that match the profile. Everything else is redirected to a different website. The supported frameworks include:
- cobaltstrike
- empire
Below is an example Caddyfile for use with Cobalt Strike.
{
admin off
debug
}
https://test.example.com {
@c2 {
c2_profile {
profile "/usr/share/cobaltstrike/cobaltstrike.profile"
framework "cobaltstrike"
}
}
handle @c2 {
reverse_proxy https://localhost:8080 {
header_up Host {http.request.host}
transport http {
tls
tls_insecure_skip_verify
}
}
}
handle /* {
redir https://example.com{uri}
}
}
Future Improvements
References
- SeeProxy - Go reverse proxy with Cobalt Strike malleable profile validation. This project gave me the idea to create this caddy module.
- goMalleable - Cobalt Strike malleable C2 profile parser
- Malleable-C2-Profiles - Cobalt Strike template used for testing.
Documentation
¶
Overview ¶
There are a few things the parser/module does not account for with the profile:
The parser/module does not check the header details of the profile.
The parser/module does not validate the Verb set in the profile. It defaults to GET requests as valid for http-get block and POST request as valid for http-post block. Example: This module will block all traffic if http-get block is set with `set verb "POST"`
The http-stage `set uri_x86` and `set uri_x86` options are added to the AllowedGets array.
The PowerShell Empire framework uses the same profile structure as Cobalt Strike
Index ¶
- type C2Profile
- func (C2Profile) CaddyModule() caddy.ModuleInfo
- func (m *C2Profile) Cleanup() error
- func (m *C2Profile) Match(r *http.Request) bool
- func (m *C2Profile) ParseCobaltStrike() error
- func (m *C2Profile) ParseEmpire() error
- func (m *C2Profile) Provision(ctx caddy.Context) error
- func (m *C2Profile) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type C2Profile ¶
type C2Profile struct {
// The path of the C2 profile file
Profile string `json:"profile"`
// The C2 framework
Framework string `json:"framework"`
// Profile data
Data []byte
// A list of attributes to get from the profiles
Useragent string
AllowedGets []string
AllowedPosts []string
// contains filtered or unexported fields
}
func (C2Profile) CaddyModule ¶
func (C2Profile) CaddyModule() caddy.ModuleInfo
func (*C2Profile) ParseCobaltStrike ¶
Parse Cobalt Strike profile to get User-Agent, URIs, and Headers
func (*C2Profile) ParseEmpire ¶
Parse Empire profile to get User-Agent, URIs, and Headers
Source Files