蓝队的反制

admin
admin
admin
138635
文章
114
评论
2021年5月17日08:45:22评论230 views字数 3991阅读13分18秒阅读模式

  还记得前几天,360的一篇文章:浅析CobaltStrike Beacon Staging Server扫描

   弄得红队同学很受伤啊,当然,后面L.N等大佬也是给出了相关的解法:

  关于CobaltStrike的Stager被扫问题

当然,这是关于Stager的。除了这个之外,还有比如CobaltStrikeScan:https://github.com/Apr4h/CobaltStrikeScan.git 用来在process memory 中查找 Cobalt Strike beacons 并且给出 configuration. 又或者针对于execute-assembly.的反制,总之,红队是真滴惨。


蓝队的反制

 

  那么我们今天就继续来迫害红队。首先来科普性的说明几个概念:


什么是stage(stageless)?


stage是无阶段的stager,可以直接理解成,stage是stager与它所请求的数据的集合体。stage比stager更安全,但是体积更大。而且在内网穿透的时候基本只能用stage,用stager会十分麻烦,stager是分段传输payload的,使用stager有时候会导致目标无法上线。stage唯一的缺点是相比较而言体积比较大。


什么是stager?


stager其实是一段很简单的加载器,是socketedi协议请求的一段shellcode,它的作用是向teamserver(C2)请求一段数据,这些数据前是个字节是shellcode的长度,后面是shellcode。接收到数据后跳转到shellcode所在的内存处开始运行。


什么是Malleable-C2?


这个可以参考公众号之前的文章:Malleable-C2-Profiles配置


而我们在一般的渗透过程中使用的大部分都是stager,并且会进行Malleable-C2-Profiles配置,其中包括重定向、CDN等等的设置,来达到我们的各式各样的目的。而今天要说的就是一个针对stageless的防御工具:CobaltStrikeParser(https://github.com/Sentinel-One/CobaltStrikeParser)


蓝队的反制


工具原理就不多说了,直接来看使用吧,下载、安装直接跳过,使用方法如下:


python3 parse_encrypted_beacon_config.py --version 4 --json path

python3 parse_beacon_config.py --version 4 --json path


这里,我的profile文件内容如下:


set sleeptime "30000";set jitter    "20"; set maxdns    "255";set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
http-get {
    set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2";
    client {        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";        header "Accept-Language" "en-US,en;q=0.5";        header "Accept-Encoding" "gzip, deflate";
        metadata {            netbios;            prepend "PREF=ID=";            header "Cookie";        }    }
    server {        header "Content-Type" "application/vnd.google.safebrowsing-chunk";        header "X-Content-Type-Options" "nosniff";        header "Content-Encoding" "gzip";        header "X-XSS-Protection" "1; mode=block";        header "X-Frame-Options" "SAMEORIGIN";        header "Cache-Control" "public,max-age=172800";        header "Age" "1222";        header "Alternate-Protocol" "80:quic";
        output {            print;        }    }}
http-post {        set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4";
    client {        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";        header "Accept-Language" "en-US,en;q=0.5";        header "Accept-Encoding" "gzip, deflate";                id {            netbios;            prepend "U=779b64e1a7ed737a";            prepend "PREF=ID=";            header "Cookie";        }                output {            print;        }    }
    server {        header "Content-Type" "application/vnd.google.safebrowsing-chunk";        header "X-Content-Type-Options" "nosniff";        header "Content-Encoding" "gzip";        header "X-XSS-Protection" "1; mode=block";        header "X-Frame-Options" "SAMEORIGIN";        header "Cache-Control" "public,max-age=172800";        header "Age" "1222";        header "Alternate-Protocol" "80:quic";        output {            print;        }    }}


然后使用工具测试生成的exe文件:


蓝队的反制


对json进行格式化得到:


{"BeaconType": ["HTTP"],"Port": 4567,"SleepTime": 30000,"MaxGetSize": 1048576,"Jitter": 20,"MaxDNS": "Not Found","C2Server": "192.168.1.106,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2","UserAgent": "Not Found","HttpPostUri": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4","Malleable_C2_Instructions": [],"HttpGet_Metadata": "Not Found","HttpPost_Metadata": "Not Found","SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==","PipeName": "Not Found","DNS_Idle": "Not Found","DNS_Sleep": "Not Found","SSH_Host": "Not Found","SSH_Port": "Not Found","SSH_Username": "Not Found","SSH_Password_Plaintext": "Not Found","SSH_Password_Pubkey": "Not Found","HttpGet_Verb": "GET","HttpPost_Verb": "POST","HttpPostChunk": 0,"Spawnto_x86": "%windir%\syswow64\rundll32.exe","Spawnto_x64": "%windir%\sysnative\rundll32.exe","CryptoScheme": 0,"Proxy_Config": "Not Found","Proxy_User": "Not Found","Proxy_Password": "Not Found","Proxy_Behavior": "Use IE settings","Watermark": 1359593325,"bStageCleanup": "False","bCFGCaution": "False","KillDate": 0,"bProcInject_StartRWX": "True","bProcInject_UseRWX": "True","bProcInject_MinAllocSize": 0,"ProcInject_PrependAppend_x86": "Empty","ProcInject_PrependAppend_x64": "Empty","ProcInject_Execute": ["CreateThread","SetThreadContext","CreateRemoteThread","RtlCreateUserThread"],"ProcInject_AllocationMethod": "VirtualAllocEx","bUsesCookies": "True","HostHeader": ""}


可以清晰的看到能够直接dump出来我们的配置内容。而作为红队的同学,如何去进行对抗呢?想必看到工具源码的该位置,大家就可以明白了:


蓝队的反制



就像绕过CobaltStrikeScan一样,细节只在一点而已。


     ▼
更多精彩推荐,请关注我们

蓝队的反制



本文始发于微信公众号(鸿鹄实验室):蓝队的反制

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年5月17日08:45:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   蓝队的反制https://cn-sec.com/archives/258905.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息