80 lines
2.7 KiB
YAML
80 lines
2.7 KiB
YAML
# Agent settings
|
|
reconnect_delay: 10000
|
|
jitter_percent: 30
|
|
startup_delay: 0
|
|
|
|
# Agent indentity configuration
|
|
c2_agent_user_agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
|
|
c2_identification_header: "Accept-Language"
|
|
c2_identification_value: "en-US,en;q=0.9"
|
|
|
|
# Agent common request headers
|
|
agent_request_headers:
|
|
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
|
|
- "Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate"
|
|
- "Pragma: no-cache"
|
|
- "Connection: keep-alive"
|
|
|
|
# Domain-specific profiles - only configured domains are allowed
|
|
domain_profiles:
|
|
"test1.com":
|
|
ssl:
|
|
cert_file: "certificates/example.com.crt"
|
|
key_file: "certificates/example.com.key"
|
|
|
|
# Headers and cookie indicating a new message from server
|
|
command_header_name: "Server-Timing"
|
|
command_header_value: "cfExtPri"
|
|
command_cookie_name: "x-auth-csrf-token"
|
|
|
|
# Cookie where agent embeds message to
|
|
message_cookie_name: "sessionID"
|
|
|
|
# Header to indicate message in request body when POST method is used
|
|
body_message_header: "X-Requested-With"
|
|
body_message_header_value: "XMLHttpRequest"
|
|
|
|
# Common response headers of legit http traffic
|
|
headers:
|
|
cache-control: "max-age=3600"
|
|
content-encoding: "gzip"
|
|
pragma: "no-cache"
|
|
server: "Microsoft-IIS/10.0"
|
|
strict-transport-security: "max-age=31536000"
|
|
x-aspnet-version: "4.0.30319"
|
|
x-powered-by: "ASP.NET"
|
|
x-content-type-options: "nosniff"
|
|
x-frame-options: "DENY"
|
|
x-xss-protection: "1; mode=block"
|
|
|
|
"192.168.1.4":
|
|
ssl:
|
|
cert_file: "certificates/example.com.crt"
|
|
key_file: "certificates/example.com.key"
|
|
|
|
command_cookie_name: "JSESSIONID"
|
|
command_header_name: "X-Powered-By"
|
|
command_header_value: "ASP.NET"
|
|
message_cookie_name: "sessionID"
|
|
body_message_header: "X-Requested-With"
|
|
body_message_header_value: "XMLHttpRequest"
|
|
|
|
headers:
|
|
alt-svc: 'h3=":443"; ma=86400'
|
|
cache-control: "private, no-cache, no-store, max-age=0, must-revalidate"
|
|
cf-cache-status: "DYNAMIC"
|
|
cf-ray: "29a9f76c7d9edf6-BRL"
|
|
content-encoding: "br"
|
|
cross-origin-opener-policy: "same-origin-allow-popups"
|
|
cross-origin-resource-policy: "same-origin"
|
|
origin-agent-cluster: "?1"
|
|
priority: "u=0,i"
|
|
referrer-policy: "no-referrer-when-downgrade"
|
|
server: "cloudflare"
|
|
strict-transport-security: "max-age=15552000; includeSubDomains; preload"
|
|
vary: "Accept-Encoding"
|
|
x-content-type-options: "nosniff"
|
|
x-dns-prefetch-control: "on"
|
|
x-download-options: "noopen"
|
|
x-frame-options: "SAMEORIGIN"
|
|
x-permitted-cross-domain-policies: "none" |