-
-
Notifications
You must be signed in to change notification settings - Fork 143
/
example-config.yaml
567 lines (504 loc) · 21.2 KB
/
example-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
#
# This is a sample config file for RedWarden.
#
#
# ====================================================
# General proxy related settings
# ====================================================
#
# Print verbose output. Implied if debug=True. Default: False
verbose: True
# Print debugging output that includes HTTP request/response trace. Default: False
debug: False
# Redirect RedWarden's output to file. Default: stdout.
# Creates a file in the same directory that this config file is situated.
output: redwarden_redirector.log
# Write web server access attempts in Apache2 access.log format into this file.
access_log: redwarden_access.log
# Switches between one of the following pre-defined log formats:
# - 'apache2' combined access_log
# - 'redelk' log format
access_log_format: apache2
#
# ===================================
# RedELK Integration
#
#
# If RedWarden is to be integrated with RedElk, following three variables will have to be set
# according to this redirector server role.
#
# Label marking packets coming from this specific Proxy server.
# Can be anything, but nice candidates are:
# - http, http-proxy, http-trackingpixel1, phishingwebsite, etc
redelk_frontend_name: http-redwarden
# Label for packets that are passed to the C2 server.
# This value MUST start with "c2" and cannot contain spaces.
redelk_backend_name_c2: c2
# Label for packets that are NOT passed to the C2 (they either dropped, redirected, proxied away).
# This value MUST start wtih "decoy" and cannot contain spaces.
redelk_backend_name_decoy: decoy
# ===================================
# If 'output' is specified, tee program's output to file and stdout at the same time.
# Default: False
tee: True
#
# Ports on which RedWarden should bind & listen
#
port:
- 80/http
- 443/https
#
# SSL certificate CAcert (pem, crt, cert) and private key CAkey
#
ssl_cacert: /etc/letsencrypt/live/attacker.com/fullchain.pem
ssl_cakey: /etc/letsencrypt/live/attacker.com/privkey.pem
#
# Drop invalid HTTP requests
#
# If a stream that doesn't resemble valid HTTP protocol reaches RedWarden listener,
# should we drop it or process it? By default we drop it.
#
# Default: True
#
drop_invalid_http_requests: True
#
# Path to the Malleable C2 profile file.
# If not given, most of the request-validation logic won't be used.
#
profile: malleable.profile
#
# (Required) Address where to redirect legitimate inbound beacon requests.
# A.k.a. TeamServer's Listener bind address, in a form of:
# [inport:][http(s)://]host:port
#
# If RedWarden was configured to listen on more than one port, specifying "inport" will
# help the plugin decide to which teamserver's listener redirect inbound request.
#
# If 'inport' values are not specified in the below option (teamserver_url) the script
# will pick destination teamserver at random.
#
# Having RedWarden listening on only one port does not mandate to include the "inport" part.
# This field can be either string or list of strings.
#
teamserver_url:
- 1.2.3.4:5555
#
# Report only instead of actually dropping/blocking/proxying bad/invalid requests.
# If this is true, will notify that the request would be block if that option wouldn't be
# set.
#
# Default: False
#
report_only: False
#
# Log full bodies of dropped requests.
#
# Default: False
#
log_dropped: False
#
# Throttle down number of log entries emitted for single Peer to lower I/O overhead.
#
# When you operate your Beacon in interactive mode, the RedWarden can go crazy with logging
# all of the allowed requests. We can throttle that down to minimize I/O and CPU impact.
#
# This option specifies number of seconds to wait before adding next log entry for specific IP,
# regardless of whether it was allowed or dropped.
#
# Default:
# log_request_delay: 60
# requests_threshold: 3
#
throttle_down_peer_logging:
log_request_delay: 60
requests_threshold: 3
#
# What to do with the request originating not conforming to Beacon, whitelisting or
# ProxyPass inclusive statements:
# - 'redirect' it to another host with (HTTP 301),
# - 'reset' a TCP connection with connecting client
# - 'proxy' the request, acting as a reverse-proxy against specified action_url
# (may be dangerous if client fetches something it shouldn't supposed to see!)
#
# Valid values: 'reset', 'redirect', 'proxy'.
#
# Default: redirect
#
drop_action: redirect
#
# If someone who is not a beacon hits the proxy, or the inbound proxy does not meet
# malleable profile's requirements - where we should proxy/redirect his requests.
# The protocol HTTP/HTTPS used for proxying will be the same as originating
# requests' protocol. Redirection in turn respects protocol given in action_url.
#
# This value may be a comma-separated list of hosts, or a YAML array to specify that
# target action_url should be picked at random:
# action_url: https://google.com, https://gmail.com, https://calendar.google.com
#
# Default: https://google.com
#
action_url:
- https://google.com
#
# ProxyPass alike functionality known from mod_proxy.
#
# If inbound request matches given conditions, proxy that request to specified host,
# fetch response from target host and return to the client. Useful when you want to
# pass some requests targeting for instance attacker-hosted files onto another host, but
# through the one protected with malleable_redirector.
#
# Protocol used for ProxyPass will match the one from originating request unless specified explicitely.
# If host part contains http:// or https:// schema - that schema will be used.
#
# Syntax:
# proxy_pass:
# - /url_to_be_passed example.com
# - /url_to_be_passed_onto_http http://example.com
#
# The first parameter 'url' is a regex (case-insensitive). Must start with '/'.
# The regex begin/end operators are implied and will constitute following regex to be
# matched against inbound request's URL:
# '^/' + url_to_be_passed + '$'
#
# Here are the URL rewriting rules:
# Example, inbound request:
# https://attacker.com/dl/file-to-be-served.txt
#
# Rules:
# a) Entire URL to be substituted for proxy pass:
# proxy_pass:
# - /dl/.+ https://localhost:8888/
# ====> will redirect to https://localhost:8888/
#
# b) Only host to be substituted for proxy pass:
# proxy_pass:
# - /dl/.+ localhost:8888
# ====> will redirect to https://localhost:8888/dl/file-to-be-served.txt
#
# Following options are supported:
# - nodrop - Process this rule at first, before evaluating any DROP-logic.
# Does not let processed request to be dropped.
#
# Default: No proxy pass rules.
#
proxy_pass:
# These are example proxy_pass definitions:
#- /foobar\d* bing.com
#- /myip http://ip-api.com/json/
#- /alwayspass google.com nodrop
#
# If set, removes all HTTP headers sent by Client that are not expected by Teamserver according
# to the supplied Malleable profile and its client { header ... } section statements. Some CDNs/WebProxy
# providers such as CloudFlare may add tons of their own metadata headers (like: CF-IPCountry, CF-RAY,
# CF-Visitor, CF-Request-ID, etc.) that can make Teamserver unhappy about inbound HTTP Request which could
# cause its refusal.
#
# We can strip all of these superfluous, not expected by Teamserver HTTP headers delivering a vanilla plain
# request. This is recommended setting in most scenarios.
#
# Do note however, that Teamserver by itself ignores superfluous headers it receives in requests, as long as they
# don't compromise integrity of the malleable transaction.
#
# Default: True
#
remove_superfluous_headers: True
#
# Every time malleable_redirector decides to pass request to the Teamserver, as it conformed
# malleable profile's contract, a MD5 sum may be computed against that request and saved in sqlite
# file. Should there be any subsequent request evaluating to a hash value that was seen & stored
# previously, that request is considered as Replay-Attack attempt and thus should be banned.
#
# CobaltStrike's Teamserver has built measures aginst replay-attacks, however malleable_redirector may
# assist in that activity as well.
#
# Default: False
#
mitigate_replay_attack: False
#
# List of whitelisted IP addresses/CIDR ranges.
# Inbound packets from these IP address/ranges will always be passed towards specified TeamServer without
# any sort of verification or validation.
#
whitelisted_ip_addresses:
- 127.0.0.0/24
#
# Maintain a volatile, dynamic list of whitelisted Peers (IPv4 addresses) based on a number of requests
# they originate that were allowed and passed to Teamserver.
#
# This option cuts down request processing time since whenever a request coming from a previously whitelisted
# peers gets processed, it will be accepted right away having observed that the peer was allowed to pass
# N requests to the Teamserver on a previous occassions.
#
# This whitelist gets cleared along with RedWarden being terminated. It is only held up in script's memory.
#
# Paramters:
# - number_of_valid_http_get_requests: defines number of successful http-get requests (polling Teamserver)
# that determine whether Peer can be trusted.
# - number_of_valid_http_post_requests: defines number of successful http-post requests (sending command
# results to the TS) that determine whether Peer can be trusted.
#
# Value of 0 denotes disabled counting of a corresponding type of requests.
# Function disabled if configuration option is missing.
#
# Default: (dynamic whitelist enabled)
# number_of_valid_http_get_requests: 15
# number_of_valid_http_post_requests: 5
#
add_peers_to_whitelist_if_they_sent_valid_requests:
number_of_valid_http_get_requests: 15
number_of_valid_http_post_requests: 5
#
# Ban peers based on their IPv4 address. The blacklist with IP address to check against is specified
# in 'ip_addresses_blacklist_file' option.
#
# Default: True
#
ban_blacklisted_ip_addresses: True
#
# Specifies external list of CIDRs with IPv4 addresses to ban. Each entry in that file
# can contain a single IPv4, a CIDR or a line with commentary in following format:
# 1.2.3.4/24 # Super Security System
#
# Default: data/banned_ips.txt
#
ip_addresses_blacklist_file: data/banned_ips.txt
#
# Specifies external list of keywords to ban during reverse-IP lookup, User-Agents or
# HTTP headers analysis stage. The file can contain lines beginning with '#' to mark comments.
#
# Default: data/banned_words.txt
#
banned_agents_words_file: data/banned_words.txt
#
# Specifies external list of phrases that should override banned phrases in case of ambiguity.
# If the request was to be banned because of a ambigue phrase, the override agents file can
# make the request pass blocking logic if it contained "allowed" phrase.
#
# Default: data/banned_words_override.txt
#
override_banned_agents_file: data/banned_words_override.txt
#
# Ban peers based on their IPv4 address' resolved ISP/Organization value or other details.
# Whenever a peer connects to our proxy, we'll take its IPv4 address and use one of the specified
# APIs to collect all the available details about the address. Whenever a banned word
# (of a security product) is found in those details - peer will be banned.
# List of API keys for supported platforms are specified in ''. If there are no keys specified,
# only providers that don't require API keys will be used (e.g. ip-api.com, ipapi.co)
#
# This setting affects execution of policy:
# - drop_ipgeo_metadata_containing_banned_keywords
#
# Default: True
#
verify_peer_ip_details: True
#
# Specifies a list of API keys for supported API details collection platforms.
# If 'verify_peer_ip_details' is set to True and there is at least one API key given in this option, the
# proxy will collect details of inbound peer's IPv4 address and verify them for occurences of banned words
# known from various security vendors. Do take a note that various API details platforms have their own
# thresholds for amount of lookups per month. By giving more than one API keys, the script will
# utilize them in a random order.
#
# To minimize number of IP lookups against each platform, the script will cache performed lookups in an
# external file named 'ip-lookups-cache.json'
#
# Supported IP Lookup providers:
# - ip-api.com: No API key needed, free plan: 45 requests / minute
# - ipapi.co: No API key needed, free plan: up to 30000 IP lookups/month and up to 1000/day.
# - ipgeolocation.io: requires an API key, up to 30000 IP lookups/month and up to 1000/day.
#
# Default: empty dictionary
#
ip_details_api_keys:
#ipgeolocation_io: 0123456789abcdef0123456789abcdef
ipgeolocation_io:
#
# Restrict incoming peers based on their IP Geolocation information.
# Available only if 'verify_peer_ip_details' was set to True.
# IP Geolocation determination may happen based on the following supported characteristics:
# - organization,
# - continent,
# - continent_code,
# - country,
# - country_code,
# - city,
# - timezone
#
# The Peer will be served if at least one geolocation condition holds true for him
# (inclusive/alternative arithmetics).
#
# If no determinants are specified, IP Geolocation will not be taken into consideration while accepting peers.
# If determinants are specified, only those peers whose IP address matched geolocation determinants will be accepted.
#
# Each of the requirement values may be regular expression. Matching is case-insensitive.
#
# Following (continents_code, continent) pairs are supported:
# ('AF', 'Africa'),
# ('AN', 'Antarctica'),
# ('AS', 'Asia'),
# ('EU', 'Europe'),
# ('NA', 'North america'),
# ('OC', 'Oceania'),
# ('SA', 'South america)'
#
# Proper IP Lookup details values can be established by issuing one of the following API calls:
# $ curl -s 'https://ipapi.co/TARGET-IP-ADDRESS/json/'
# $ curl -s 'http://ip-api.com/json/TARGET-IP-ADDRESS'
#
# The organization/isp/as/asn/org fields will be merged into a common organization list of values.
#
ip_geolocation_requirements:
organization:
#- My\s+Target\+Company(?: Inc.)?
continent:
continent_code:
country:
country_code:
city:
timezone:
#
# Fine-grained requests dropping policy - lets you decide which checks
# you want to have enforced and which to skip by setting them to False
#
# Default: all checks enabled
#
policy:
# [IP: ALLOW, reason:0] Request conforms ProxyPass entry (url="..." host="..."). Passing request to specified host
allow_proxy_pass: True
# [IP: ALLOW, reason:2] Peer's IP was added dynamically to a whitelist based on a number of allowed requests
allow_dynamic_peer_whitelisting: True
# [IP: DROP, reason:1] inbound User-Agent differs from the one defined in C2 profile.
drop_invalid_useragent: True
# [IP: DROP, reason:2] HTTP header name contained banned word
drop_http_banned_header_names: True
# [IP: DROP, reason:3] HTTP header value contained banned word:
drop_http_banned_header_value: True
# [IP: DROP, reason:4b] peer's reverse-IP lookup contained banned word
drop_dangerous_ip_reverse_lookup: True
# [IP: DROP, reason:4e] Peer's IP geolocation metadata contained banned keyword! Peer banned in generic fashion.
drop_ipgeo_metadata_containing_banned_keywords: True
# [IP: DROP, reason:5] HTTP request did not contain expected header
drop_malleable_without_expected_header: True
# [IP: DROP, reason:6] HTTP request did not contain expected header value:
drop_malleable_without_expected_header_value: True
# [IP: DROP, reason:7] HTTP request did not contain expected (metadata|id|output) section header:
drop_malleable_without_expected_request_section: True
# [IP: DROP, reason:8] HTTP request was expected to contain (metadata|id|output) section with parameter in URI:
drop_malleable_without_request_section_in_uri: True
# [IP: DROP, reason:9] Did not found append pattern (this logic is known to cause troubles, use with caution):
drop_malleable_without_prepend_pattern: False
# [IP: DROP, reason:10] Did not found append pattern (this logic is known to cause troubles, use with caution):
drop_malleable_without_apppend_pattern: False
# [IP: DROP, reason:11] Requested URI does not aligns any of Malleable defined variants:
drop_malleable_unknown_uris: True
# [IP: DROP, reason:12] HTTP request was expected to contain <> section with URI-append containing prepend/append fragments
drop_malleable_with_invalid_uri_append: True
#
# This option repairs Beacon requests's header value by restoring to what was expected in Malleable C2 profile.
#
# If RedWarden validates inbound request's HTTP headers, according to policy drop_malleable_without_expected_header_value:
# "[IP: DROP, reason:6] HTTP request did not contain expected header value:"
#
# and detects some header is missing or was overwritten along the wire, the request will be dropped.
#
# We can relax this policy a bit however, since there are situations in which Cache systems (such as Cloudflare) could tamper with our
# requests thus breaking Malleable contracts. What we can do is to specify list of headers, that should be overwritten back to their values
# defined in provided Malleable profile.
#
# So for example, if our profile expects:
# header "Accept-Encoding" "gzip, deflate";
#
# but we receive a request having following header set instead:
# Accept-Encoding: gzip
#
# Because it was tampered along the wire by some of the interim systems (such as web-proxies or caches), we can
# detect that and set that header's value back to what was expected in Malleable profile.
#
# In order to protect Accept-Encoding header, as an example, the following configuration could be used:
# repair_these_headers:
# - Accept-Encoding
#
# Default: <empty-list>
#
#repair_these_headers:
# - Accept-Encoding
#
# This option specifies which headers coming from Teamserver responses should be removed before
# reaching Beacon process. With Cobalt Strike 4.7+ I noticed that Teamserver removes Content-Encoding header
# automatically without any notice, thus violating our malleable http-(get|post).server contract.
# Since RedWarden followed the contract, Beacon was either dropping responses or decompressing them incorrectly.
#
# Either way, with Cobalt Strike 4.7+ we need to remove Content-Encoding header from responses to keep on going.
#
remove_these_response_headers:
- Content-Encoding
#
# Malleable Redirector plugin can act as a basic oracle API responding to calls
# containing full request contents with classification whether that request would be
# blocked or passed along. The API may be used by custom payload droppers, HTML Smuggling
# payloads or any other javascript-based landing pages.
#
# The way to invoke it is as follows:
# 1. Issue a POST request to the RedWarden server with the below specified URI in path.
# 2. Include following JSON in your POST request:
#
# POST /malleable_redirector_hidden_api_endpoint
# Content-Type: application/json
#
# {
# "peerIP" : "IP-of-connecting-Peer",
# "headers" : {
# "headerName1" : "headerValue1",
# ...
# "headerNameN" : "headerValueN",
# },
# }
#
# If "peerIP" is empty (or was not given), RedWarden will try to extract peer's IP from HTTP
# headers such as (X-Forwarded-For, CF-Connecting-IP, X-Real-IP, etc.). If no IP will be present
# in headers, an error will be returned.:
#
# HTTP 404 Not Found
# {
# "error" : "number",
# "message" : "explanation"
# }
#
# RedWarden will take any non-empty field from a given JSON and evaluate it as it would do
# under currently provided configuration and all the knowledge it possesses.
# The response will contain following JSON:
#
# {
# "action": "allow|drop",
# "peerIP" : "returned-peerIP",
# "ipgeo" : {ip-geo-metadata-extracted}
# "message": "explanation",
# "reason": "reason",
# "drop_type": "proxy|reset|redirect",
# "action_url": ["proxy-URL-1|redirect-URL-1", ..., "proxy-URL-N|redirect-URL-N"]
# }
#
# Availbale Allow/Drop reasons for this endpoint:
# ALLOW:
# - Reason: 99 - Peer IP and HTTP headers did not contain anything suspicious
# - Reason: 1 - peer's IP address is whitelisted
# - Reason: 2 - Peer's IP was added dynamically to a whitelist based on a number of allowed requests
# DROP:
# - Reason: 2 - HTTP header name contained banned word
# - Reason: 3 - HTTP header value contained banned word
# - Reason: 4a - Peer's IP address is blacklisted
# - Reason: 4b - Peer's reverse-IP lookup contained banned word
# - Reason: 4c - Peer's IP lookup organization field contained banned word
# - Reason: 4d - Peer's IP geolocation DID NOT met expected conditions
# - Reason: 4e - Peer's IP geolocation metadata contained banned keyword! Peer banned in generic fashion
#
# Sample curl to debug:
# $ curl -sD- --request POST --data "{\"headers\":{\"Accept\": \"*/*\", \"Sec-Fetch-Site\": \"same-origin\", \
# \"Sec-Fetch-Mode\": \"no-cors\", \"Sec-Fetch-Dest\": \"script\", \"Accept-Language\": \"en-US,en;q=0.9\", \
# \"Cookie\": \"__cfduid2=cHux014r17SG3v4gPUrZ0BZjDabMTY2eWDj1tuYdREBg\", \"User-Agent\": \
# \"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\"}}" \
# https://attacker.com/12345678-9abc-def0-1234-567890abcdef
#
# Default: Turned off / not available
#
#malleable_redirector_hidden_api_endpoint: /12345678-9abc-def0-1234-567890abcdef