Automating Malleable Profiles for Sliver C2: Enhancing Red Team Operations

Listen to this Post

Featured Image

Introduction

In red team operations, blending command-and-control (C2) traffic with legitimate network activity is essential to evade detection. Malleable C2 profiles enable implants to mimic services like AWS or Outlook, but tools like Sliver lack native support for such profiles. Security researcher Seunghwan Yoon developed a Python script to convert Cobalt Strike malleable profiles into Sliver-compatible JSON configurations, streamlining red team workflows.

Learning Objectives

  • Understand the role of malleable C2 profiles in evading network detection.
  • Learn how to automate the conversion of Cobalt Strike profiles for Sliver C2.
  • Explore techniques for rotating C2 traffic patterns to mimic legitimate services.

You Should Know

1. Cloning and Updating Malleable C2 Profiles

To get started, clone a repository of publicly available malleable profiles:

git clone https://github.com/rsmudge/Malleable-C2-Profiles.git 
cd Malleable-C2-Profiles 
git pull 

This repository contains categorized profiles (APT, Crimeware, Normal) that can be adapted for Sliver.

2. Converting Cobalt Strike Profiles to Sliver JSON

Seunghwan’s script parses HTTP headers from Cobalt Strike profiles and reformats them for Sliver. Here’s an example of a converted HTTP header block in Sliver’s JSON format:

{ 
"http": { 
"headers": [ 
{ 
"name": "User-Agent", 
"value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" 
}, 
{ 
"name": "Accept", 
"value": "text/html,application/xhtml+xml" 
} 
] 
} 
} 

This ensures Sliver traffic mimics legitimate browser requests.

3. Randomizing Profile Selection

Automate profile rotation to avoid consistent traffic patterns:

import random 
profiles = ["aws.profile", "outlook.profile", "gmail.profile"] 
selected_profile = random.choice(profiles) 
print(f"Using profile: {selected_profile}") 

This snippet randomly selects a profile, making detection harder.

4. Scheduling Profile Rotation

Use cron (Linux) or Task Scheduler (Windows) to switch profiles periodically. For Linux:

crontab -e 
0     /usr/bin/python3 /path/to/rotate_profiles.py 

This rotates profiles hourly.

5. Validating Sliver Configurations

After conversion, verify the JSON configuration with Sliver’s built-in checker:

sliver import /path/to/converted_profile.json 
sliver config validate 

This ensures the profile works without breaking Sliver’s functionality.

6. Preserving Operational Security

Ensure the script excludes sensitive fields (e.g., C2 server IPs) during conversion:

import json 
with open("converted_profile.json", "r") as f: 
config = json.load(f) 
if "server" in config: 
del config["server"] 

This prevents accidental exposure of operational details.

7. Testing Traffic Obfuscation

Use Wireshark or tcpdump to verify traffic mimics the target service:

tcpdump -i eth0 -w traffic.pcap 

Analyze the capture to confirm headers match the spoofed service.

What Undercode Say

  • Key Takeaway 1: Automating malleable profile conversion saves time and reduces human error in red team operations.
  • Key Takeaway 2: Profile rotation and randomization are critical for maintaining stealth in prolonged engagements.

Analysis: Seunghwan’s script bridges a gap in Sliver’s capabilities, empowering red teams to operate more effectively. As network detection improves, tools like this will become indispensable for mimicking legitimate traffic. Future developments may include AI-driven dynamic profile generation, further evading heuristic-based detection.

For the full script and repository, visit: https://lnkd.in/gCBWfiVT.

IT/Security Reporter URL:

Reported By: Seunghwan Yoon – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin