Cobalt Strike Malleable C2 profiles 解决几个小问题(Cobalt strike malleable C2 profiles solve several small problems)

这些天在研究C2隐藏技术,遇到C2客户端验证profile出现加载不了的错误,特此记录一下:

参考文章:http://xia0yu.win/java/40.html

使用 compile_time 修改Beacon的PE头时间时候出现了错误

[-] Error(s) while compiling /Users/xia0yu/Desktop/test.profile

Error: option <.stage.compile_time> requires a 'dd MMM YYYY hh:mm:ss' date at line 289 "14 July 2009 8:14:00"

格式化时间出现错误,发现和自己系统语言环境有关,通过ssh连服务器运行也会受影响。

把自己的系统语言改成英语即可。也可以把 July 改成七月,但是都不太方便。

好的方式是在 c2lint 和 teamserver 都加上 -Duser.language=en 就可以 Profile compiled OK

java -XX:ParallelGCThreads=4 -XX:+UseParallelGC -Duser.language=en -classpath ./cobaltstrike.jar c2profile.Lint $1

然后还有个问题

[-] .spawnto_x86 is deprecated and has no effect. Set .post-ex.spawnto_x86 instead.

[-] .spawnto_x64 is deprecated and has no effect. Set .post-ex.spawnto_x64 instead.

因为3.14版本更新,不能直接 set spawnto_x86 、set spawnto_x64

而是需要这样

post-ex {  
    set spawnto_x86 "shit/path";
    set spawnto_x64 "shit/path";
}
————————

During the research of C2 hiding technology these days, I encountered an error that the C2 client could not load the verification profile. Here is a record:

Reference article: http://xia0yu.win/java/40.html

Using compile_ Time error occurred while modifying the PE header time of beacon

[-] Error(s) while compiling /Users/xia0yu/Desktop/test.profile

Error: option <.stage.compile_time> requires a 'dd MMM YYYY hh:mm:ss' date at line 289 "14 July 2009 8:14:00"

There is an error in the format time. It is found that it is related to the language environment of your own system. The operation of the server through SSH will also be affected.

Just change your system language into English. You can also change July to July, but it’s not very convenient.

好的方式是在 c2lint 和 teamserver 都加上 -Duser.language=en 就可以 Profile compiled OK

java -XX:ParallelGCThreads=4 -XX:+UseParallelGC -Duser.language=en -classpath ./cobaltstrike.jar c2profile.Lint $1

Then there is another question

[-] .spawnto_x86 is deprecated and has no effect. Set .post-ex.spawnto_x86 instead.

[-] .spawnto_x64 is deprecated and has no effect. Set .post-ex.spawnto_x64 instead.

Because version 3.14 is updated, you cannot set spawno directly_ x86 、set spawnto_ x64

It needs to be like this

post-ex {  
    set spawnto_x86 "shit/path";
    set spawnto_x64 "shit/path";
}