CobaltStrike 特征提取

# default c2-http profile# define indicators for an HTTP GEThttp-get {    # Beacon will randomly choose from this pool of URIs    set uri "/ca /dpixel /__utm.gif /pixel.gif /g.pixel /dot.gif /updates.rss /fwlink /cm /cx /pixel /match /visit.js /load /push /ptj /j.ad /ga.js /en_US/all.js /activity /IE9CompatViewList.xml";

    client {        # base64 encode session metadata and store it in the Cookie header.        metadata {            base64;            header "Cookie";        }    }

    server {        # server should send output with no changes        header "Content-Type" "application/octet-stream";

        output {            print;        }    }}

# https://github.com/threatexpress/malleable-c2/blob/master/jquery-c2.4.6.profilehttp-stager {      set uri_x86 "/jquery-3.3.1.slim.min.js";    set uri_x64 "/jquery-3.3.2.slim.min.js";    ...}

# win10-https-beacon-ja3 指纹：72a589da586844d7f0818ce684948eea# centos-cs4.4-ja3s 指纹：fd4bc6cea4877646ccd62f0792ec0b62