还记得前几天,360的一篇文章:浅析CobaltStrike Beacon Staging Server扫描
弄得红队同学很受伤啊,当然,后面L.N等大佬也是给出了相关的解法:
当然,这是关于Stager的。除了这个之外,还有比如CobaltStrikeScan:https://github.com/Apr4h/CobaltStrikeScan.git 用来在process memory 中查找 Cobalt Strike beacons 并且给出 configuration. 又或者针对于execute-assembly.的反制,总之,红队是真滴惨。
那么我们今天就继续来迫害红队。首先来科普性的说明几个概念:
什么是stage(stageless)?
stage是无阶段的stager,可以直接理解成,stage是stager与它所请求的数据的集合体。stage比stager更安全,但是体积更大。而且在内网穿透的时候基本只能用stage,用stager会十分麻烦,stager是分段传输payload的,使用stager有时候会导致目标无法上线。stage唯一的缺点是相比较而言体积比较大。
什么是stager?
stager其实是一段很简单的加载器,是socketedi协议请求的一段shellcode,它的作用是向teamserver(C2)请求一段数据,这些数据前是个字节是shellcode的长度,后面是shellcode。接收到数据后跳转到shellcode所在的内存处开始运行。
什么是Malleable-C2?
这个可以参考公众号之前的文章:Malleable-C2-Profiles配置
而我们在一般的渗透过程中使用的大部分都是stager,并且会进行Malleable-C2-Profiles配置,其中包括重定向、CDN等等的设置,来达到我们的各式各样的目的。而今天要说的就是一个针对stageless的防御工具:CobaltStrikeParser(https://github.com/Sentinel-One/CobaltStrikeParser)
工具原理就不多说了,直接来看使用吧,下载、安装直接跳过,使用方法如下:
python3 parse_encrypted_beacon_config.py --version 4 --json path或python3 parse_beacon_config.py --version 4 --json path
这里,我的profile文件内容如下:
set sleeptime "30000";set jitter "20";set maxdns "255";set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";http-get {set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2";client {header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";header "Accept-Language" "en-US,en;q=0.5";header "Accept-Encoding" "gzip, deflate";metadata {netbios;prepend "PREF=ID=";header "Cookie";}}server {header "Content-Type" "application/vnd.google.safebrowsing-chunk";header "X-Content-Type-Options" "nosniff";header "Content-Encoding" "gzip";header "X-XSS-Protection" "1; mode=block";header "X-Frame-Options" "SAMEORIGIN";header "Cache-Control" "public,max-age=172800";header "Age" "1222";header "Alternate-Protocol" "80:quic";output {print;}}}http-post {set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4";client {header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";header "Accept-Language" "en-US,en;q=0.5";header "Accept-Encoding" "gzip, deflate";id {netbios;prepend "U=779b64e1a7ed737a";prepend "PREF=ID=";header "Cookie";}output {print;}}server {header "Content-Type" "application/vnd.google.safebrowsing-chunk";header "X-Content-Type-Options" "nosniff";header "Content-Encoding" "gzip";header "X-XSS-Protection" "1; mode=block";header "X-Frame-Options" "SAMEORIGIN";header "Cache-Control" "public,max-age=172800";header "Age" "1222";header "Alternate-Protocol" "80:quic";output {print;}}}
然后使用工具测试生成的exe文件:
对json进行格式化得到:
{"BeaconType": ["HTTP"],"Port": 4567,"SleepTime": 30000,"MaxGetSize": 1048576,"Jitter": 20,"MaxDNS": "Not Found","C2Server": "192.168.1.106,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2","UserAgent": "Not Found","HttpPostUri": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4","Malleable_C2_Instructions": [],"HttpGet_Metadata": "Not Found","HttpPost_Metadata": "Not Found","SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==","PipeName": "Not Found","DNS_Idle": "Not Found","DNS_Sleep": "Not Found","SSH_Host": "Not Found","SSH_Port": "Not Found","SSH_Username": "Not Found","SSH_Password_Plaintext": "Not Found","SSH_Password_Pubkey": "Not Found","HttpGet_Verb": "GET","HttpPost_Verb": "POST","HttpPostChunk": 0,"Spawnto_x86": "%windir%\syswow64\rundll32.exe","Spawnto_x64": "%windir%\sysnative\rundll32.exe","CryptoScheme": 0,"Proxy_Config": "Not Found","Proxy_User": "Not Found","Proxy_Password": "Not Found","Proxy_Behavior": "Use IE settings","Watermark": 1359593325,"bStageCleanup": "False","bCFGCaution": "False","KillDate": 0,"bProcInject_StartRWX": "True","bProcInject_UseRWX": "True","bProcInject_MinAllocSize": 0,"ProcInject_PrependAppend_x86": "Empty","ProcInject_PrependAppend_x64": "Empty","ProcInject_Execute": ["CreateThread","SetThreadContext","CreateRemoteThread","RtlCreateUserThread"],"ProcInject_AllocationMethod": "VirtualAllocEx","bUsesCookies": "True","HostHeader": ""}
可以清晰的看到能够直接dump出来我们的配置内容。而作为红队的同学,如何去进行对抗呢?想必看到工具源码的该位置,大家就可以明白了:
就像绕过CobaltStrikeScan一样,细节只在一点而已。
本文始发于微信公众号(鸿鹄实验室):蓝队的反制
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论