infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update template.profile

master
xx0hcd 2019-05-09 15:12:39 -05:00 committed by GitHub
parent da3885e550
commit f1722d455d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 41 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
template.profile
View File

@ -1,5 +1,5 @@
#template profile #template profile - updated with 3.14 options
#options from https://www.cobaltstrike.com/help-malleable-c2 #options from https://www.cobaltstrike.com/help-malleable-c2 and https://www.cobaltstrike.com/help-malleable-postex
#attempt to get everything in one place with examples. #attempt to get everything in one place with examples.
#xx0hcd #xx0hcd
@ -60,6 +60,8 @@ http-config {
header "Connection" "close"; header "Connection" "close";
header "Cache-Control" "max-age=2"; header "Cache-Control" "max-age=2";
header "Server" "nginx"; header "Server" "nginx";
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "false";
} }
#the client GET function checks if there are tasks queued. #the client GET function checks if there are tasks queued.
@ -250,13 +252,19 @@ http-stager {
###Malleable PE Options### ###Malleable PE Options###
#Sets the default program to open and inject shellcode into. post-ex {
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe"; set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
#attempt to disable amsi for execute-assembly, powerpick, and psinject. set obfuscate "true";
set smartinject "true";
set amsi_disable "true"; set amsi_disable "true";
}
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually. #use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though. #don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
stage { stage {
@ -305,13 +313,18 @@ stage {
stringw "something"; stringw "something";
} }
#controls process injection behavior #controls process injection behavior
process-inject { process-inject {
set allocator "NtMapViewOfSection";
set min_alloc "16700"; set min_alloc "16700";
set startrwx "true";
set userwx "false"; set userwx "false";
set startrwx "true";
transform-x86 { transform-x86 {
prepend "\x90\x90\x90"; prepend "\x90\x90\x90";
} }
@ -319,14 +332,11 @@ process-inject {
prepend "\x90\x90\x90"; prepend "\x90\x90\x90";
} }
#disable can cause some beacon issues execute {
#no c2lint warning... CreateThread "ntdll!RtlUserThreadStart";
disable "SetThreadContext"; CreateThread;
NtQueueApcThread;
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x86 injection will fail." CreateRemoteThread;
#disable "CreateRemoteThread"; RtlCreateUserThread;
}
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x64 injection will fail."
#disable "RtlCreateUserThread";
} }