蓝队的反制

  • A+
所属分类:安全文章

  还记得前几天,360的一篇文章:浅析CobaltStrike Beacon Staging Server扫描

   弄得红队同学很受伤啊,当然,后面L.N等大佬也是给出了相关的解法:

  关于CobaltStrike的Stager被扫问题

当然,这是关于Stager的。除了这个之外,还有比如CobaltStrikeScan:https://github.com/Apr4h/CobaltStrikeScan.git 用来在process memory 中查找 Cobalt Strike beacons 并且给出 configuration. 又或者针对于execute-assembly.的反制,总之,红队是真滴惨。


蓝队的反制

 

  那么我们今天就继续来迫害红队。首先来科普性的说明几个概念:


什么是stage(stageless)?


stage是无阶段的stager,可以直接理解成,stage是stager与它所请求的数据的集合体。stage比stager更安全,但是体积更大。而且在内网穿透的时候基本只能用stage,用stager会十分麻烦,stager是分段传输payload的,使用stager有时候会导致目标无法上线。stage唯一的缺点是相比较而言体积比较大。


什么是stager?


stager其实是一段很简单的加载器,是socketedi协议请求的一段shellcode,它的作用是向teamserver(C2)请求一段数据,这些数据前是个字节是shellcode的长度,后面是shellcode。接收到数据后跳转到shellcode所在的内存处开始运行。


什么是Malleable-C2?


这个可以参考公众号之前的文章:Malleable-C2-Profiles配置


而我们在一般的渗透过程中使用的大部分都是stager,并且会进行Malleable-C2-Profiles配置,其中包括重定向、CDN等等的设置,来达到我们的各式各样的目的。而今天要说的就是一个针对stageless的防御工具:CobaltStrikeParser(https://github.com/Sentinel-One/CobaltStrikeParser)


蓝队的反制


工具原理就不多说了,直接来看使用吧,下载、安装直接跳过,使用方法如下:


python3 parse_encrypted_beacon_config.py --version 4 --json path

python3 parse_beacon_config.py --version 4 --json path


这里,我的profile文件内容如下:


set sleeptime "30000";set jitter    "20"; set maxdns    "255";set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
http-get {
set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2";
client { header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; header "Accept-Language" "en-US,en;q=0.5"; header "Accept-Encoding" "gzip, deflate";
metadata { netbios; prepend "PREF=ID="; header "Cookie"; } }
server { header "Content-Type" "application/vnd.google.safebrowsing-chunk"; header "X-Content-Type-Options" "nosniff"; header "Content-Encoding" "gzip"; header "X-XSS-Protection" "1; mode=block"; header "X-Frame-Options" "SAMEORIGIN"; header "Cache-Control" "public,max-age=172800"; header "Age" "1222"; header "Alternate-Protocol" "80:quic";
output { print; } }}
http-post { set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4";
client { header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; header "Accept-Language" "en-US,en;q=0.5"; header "Accept-Encoding" "gzip, deflate"; id { netbios; prepend "U=779b64e1a7ed737a"; prepend "PREF=ID="; header "Cookie"; } output { print; } }
server { header "Content-Type" "application/vnd.google.safebrowsing-chunk"; header "X-Content-Type-Options" "nosniff"; header "Content-Encoding" "gzip"; header "X-XSS-Protection" "1; mode=block"; header "X-Frame-Options" "SAMEORIGIN"; header "Cache-Control" "public,max-age=172800"; header "Age" "1222"; header "Alternate-Protocol" "80:quic"; output { print; } }}


然后使用工具测试生成的exe文件:


蓝队的反制


对json进行格式化得到:


{"BeaconType": ["HTTP"],"Port": 4567,"SleepTime": 30000,"MaxGetSize": 1048576,"Jitter": 20,"MaxDNS": "Not Found","C2Server": "192.168.1.106,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2","UserAgent": "Not Found","HttpPostUri": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4","Malleable_C2_Instructions": [],"HttpGet_Metadata": "Not Found","HttpPost_Metadata": "Not Found","SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==","PipeName": "Not Found","DNS_Idle": "Not Found","DNS_Sleep": "Not Found","SSH_Host": "Not Found","SSH_Port": "Not Found","SSH_Username": "Not Found","SSH_Password_Plaintext": "Not Found","SSH_Password_Pubkey": "Not Found","HttpGet_Verb": "GET","HttpPost_Verb": "POST","HttpPostChunk": 0,"Spawnto_x86": "%windir%\syswow64\rundll32.exe","Spawnto_x64": "%windir%\sysnative\rundll32.exe","CryptoScheme": 0,"Proxy_Config": "Not Found","Proxy_User": "Not Found","Proxy_Password": "Not Found","Proxy_Behavior": "Use IE settings","Watermark": 1359593325,"bStageCleanup": "False","bCFGCaution": "False","KillDate": 0,"bProcInject_StartRWX": "True","bProcInject_UseRWX": "True","bProcInject_MinAllocSize": 0,"ProcInject_PrependAppend_x86": "Empty","ProcInject_PrependAppend_x64": "Empty","ProcInject_Execute": ["CreateThread","SetThreadContext","CreateRemoteThread","RtlCreateUserThread"],"ProcInject_AllocationMethod": "VirtualAllocEx","bUsesCookies": "True","HostHeader": ""}


可以清晰的看到能够直接dump出来我们的配置内容。而作为红队的同学,如何去进行对抗呢?想必看到工具源码的该位置,大家就可以明白了:


蓝队的反制



就像绕过CobaltStrikeScan一样,细节只在一点而已。


     ▼
更多精彩推荐,请关注我们

蓝队的反制



本文始发于微信公众号(鸿鹄实验室):蓝队的反制

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: