還記得前幾天,360的一篇文章:淺析CobaltStrike Beacon Staging Server掃描
弄得紅隊同學很受傷啊,當然,後面L.N等大佬也是給出了相關的解法:
關于CobaltStrike的Stager被掃問題
當然,這是關于Stager的。除了這個之外,還有比如CobaltStrikeScan:https://github.com/Apr4h/CobaltStrikeScan.git 用來在process memory 中查找 Cobalt Strike beacons 并且給出 configuration. 又或者針對于execute-assembly.的反制,總之,紅隊是真滴慘。
那麼我們今天就繼續來迫害紅隊。首先來科普性的說明幾個概念:
什麼是stage(stageless)?
stage是無階段的stager,可以直接了解成,stage是stager與它所請求的資料的
集合體。stage比stager更安全,但是體積更大。而且在内網穿透的時候基本隻能用
stage,用stager會十分麻煩,stager是分段傳輸payload的,使用stager有時候
會導緻目标無法上線。stage唯一的缺點是相比較而言體積比較大。 複制
什麼是stager?
stager其實是一段很簡單的加載器,是socketedi協定請求的一段shellcode,它
的作用是向teamserver(C2)請求一段資料,這些資料前是個位元組是shellcode的長
度,後面是shellcode。接收到資料後跳轉到shellcode所在的記憶體處開始運作。 複制
什麼是Malleable-C2?
這個可以參考公衆号之前的文章:Malleable-C2-Profiles配置
而我們在一般的滲透過程中使用的大部分都是stager,并且會進行Malleable-C2-Profiles配置,其中包括重定向、CDN等等的設定,來達到我們的各式各樣的目的。而今天要說的就是一個針對stageless的防禦工具:CobaltStrikeParser(https://github.com/Sentinel-One/CobaltStrikeParser)
工具原理就不多說了,直接來看使用吧,下載下傳、安裝直接跳過,使用方法如下:
python3 parse_encrypted_beacon_config.py --version 4 --json path
或
python3 parse_beacon_config.py --version 4 --json path 複制
這裡,我的profile檔案内容如下:
set sleeptime "30000";
set jitter "20";
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
http-get {
set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
metadata {
netbios;
prepend "PREF=ID=";
header "Cookie";
}
}
server {
header "Content-Type" "application/vnd.google.safebrowsing-chunk";
header "X-Content-Type-Options" "nosniff";
header "Content-Encoding" "gzip";
header "X-XSS-Protection" "1; mode=block";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "public,max-age=172800";
header "Age" "1222";
header "Alternate-Protocol" "80:quic";
output {
print;
}
}
}
http-post {
set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
id {
netbios;
prepend "U=779b64e1a7ed737a";
prepend "PREF=ID=";
header "Cookie";
}
output {
print;
}
}
server {
header "Content-Type" "application/vnd.google.safebrowsing-chunk";
header "X-Content-Type-Options" "nosniff";
header "Content-Encoding" "gzip";
header "X-XSS-Protection" "1; mode=block";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "public,max-age=172800";
header "Age" "1222";
header "Alternate-Protocol" "80:quic";
output {
print;
}
}
}
複制
然後使用工具測試生成的exe檔案:
對json進行格式化得到:
{
"BeaconType": [
"HTTP"
],
"Port": 4567,
"SleepTime": 30000,
"MaxGetSize": 1048576,
"Jitter": 20,
"MaxDNS": "Not Found",
"C2Server": "192.168.1.106,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
"UserAgent": "Not Found",
"HttpPostUri": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
"Malleable_C2_Instructions": [],
"HttpGet_Metadata": "Not Found",
"HttpPost_Metadata": "Not Found",
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"PipeName": "Not Found",
"DNS_Idle": "Not Found",
"DNS_Sleep": "Not Found",
"SSH_Host": "Not Found",
"SSH_Port": "Not Found",
"SSH_Username": "Not Found",
"SSH_Password_Plaintext": "Not Found",
"SSH_Password_Pubkey": "Not Found",
"HttpGet_Verb": "GET",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
"CryptoScheme": 0,
"Proxy_Config": "Not Found",
"Proxy_User": "Not Found",
"Proxy_Password": "Not Found",
"Proxy_Behavior": "Use IE settings",
"Watermark": 1359593325,
"bStageCleanup": "False",
"bCFGCaution": "False",
"KillDate": 0,
"bProcInject_StartRWX": "True",
"bProcInject_UseRWX": "True",
"bProcInject_MinAllocSize": 0,
"ProcInject_PrependAppend_x86": "Empty",
"ProcInject_PrependAppend_x64": "Empty",
"ProcInject_Execute": [
"CreateThread",
"SetThreadContext",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"ProcInject_AllocationMethod": "VirtualAllocEx",
"bUsesCookies": "True",
"HostHeader": ""
} 複制
可以清晰的看到能夠直接dump出來我們的配置内容。而作為紅隊的同學,如何去進行對抗呢?想必看到工具源碼的該位置,大家就可以明白了:
就像繞過CobaltStrikeScan一樣,細節隻在一點而已。