蓝队的反制
还记得前几天,360的一篇文章:浅析CobaltStrike Beacon Staging Server扫描
弄得红队同学很受伤啊,当然,后面L.N等大佬也是给出了相关的解法:
当然,这是关于Stager的。除了这个之外,还有比如CobaltStrikeScan:https://github.com/Apr4h/CobaltStrikeScan.git 用来在process memory 中查找 Cobalt Strike beacons 并且给出 configuration. 又或者针对于execute-assembly.的反制,总之,红队是真滴惨。
那么我们今天就继续来迫害红队。首先来科普性的说明几个概念:
什么是stage(stageless)?
stage是无阶段的stager,可以直接理解成,stage是stager与它所请求的数据的
集合体。stage比stager更安全,但是体积更大。而且在内网穿透的时候基本只能用
stage,用stager会十分麻烦,stager是分段传输payload的,使用stager有时候
会导致目标无法上线。stage唯一的缺点是相比较而言体积比较大。什么是stager?
stager其实是一段很简单的加载器,是socketedi协议请求的一段shellcode,它
的作用是向teamserver(C2)请求一段数据,这些数据前是个字节是shellcode的长
度,后面是shellcode。接收到数据后跳转到shellcode所在的内存处开始运行。什么是Malleable-C2?
这个可以参考公众号之前的文章:Malleable-C2-Profiles配置
而我们在一般的渗透过程中使用的大部分都是stager,并且会进行Malleable-C2-Profiles配置,其中包括重定向、CDN等等的设置,来达到我们的各式各样的目的。而今天要说的就是一个针对stageless的防御工具:CobaltStrikeParser(https://github.com/Sentinel-One/CobaltStrikeParser)
工具原理就不多说了,直接来看使用吧,下载、安装直接跳过,使用方法如下:
python3 parse_encrypted_beacon_config.py --version 4 --json path
或
python3 parse_beacon_config.py --version 4 --json path这里,我的profile文件内容如下:
set sleeptime "30000";
set jitter "20";
set maxdns "255";
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
http-get {
set uri "/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
metadata {
netbios;
prepend "PREF=ID=";
header "Cookie";
}
}
server {
header "Content-Type" "application/vnd.google.safebrowsing-chunk";
header "X-Content-Type-Options" "nosniff";
header "Content-Encoding" "gzip";
header "X-XSS-Protection" "1; mode=block";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "public,max-age=172800";
header "Age" "1222";
header "Alternate-Protocol" "80:quic";
output {
print;
}
}
}
http-post {
set uri "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Accept-Language" "en-US,en;q=0.5";
header "Accept-Encoding" "gzip, deflate";
id {
netbios;
prepend "U=779b64e1a7ed737a";
prepend "PREF=ID=";
header "Cookie";
}
output {
print;
}
}
server {
header "Content-Type" "application/vnd.google.safebrowsing-chunk";
header "X-Content-Type-Options" "nosniff";
header "Content-Encoding" "gzip";
header "X-XSS-Protection" "1; mode=block";
header "X-Frame-Options" "SAMEORIGIN";
header "Cache-Control" "public,max-age=172800";
header "Age" "1222";
header "Alternate-Protocol" "80:quic";
output {
print;
}
}
}
然后使用工具测试生成的exe文件:
对json进行格式化得到:
{
"BeaconType": [
"HTTP"
],
"Port": 4567,
"SleepTime": 30000,
"MaxGetSize": 1048576,
"Jitter": 20,
"MaxDNS": "Not Found",
"C2Server": "192.168.1.106,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2",
"UserAgent": "Not Found",
"HttpPostUri": "/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4",
"Malleable_C2_Instructions": [],
"HttpGet_Metadata": "Not Found",
"HttpPost_Metadata": "Not Found",
"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
"PipeName": "Not Found",
"DNS_Idle": "Not Found",
"DNS_Sleep": "Not Found",
"SSH_Host": "Not Found",
"SSH_Port": "Not Found",
"SSH_Username": "Not Found",
"SSH_Password_Plaintext": "Not Found",
"SSH_Password_Pubkey": "Not Found",
"HttpGet_Verb": "GET",
"HttpPost_Verb": "POST",
"HttpPostChunk": 0,
"Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
"CryptoScheme": 0,
"Proxy_Config": "Not Found",
"Proxy_User": "Not Found",
"Proxy_Password": "Not Found",
"Proxy_Behavior": "Use IE settings",
"Watermark": 1359593325,
"bStageCleanup": "False",
"bCFGCaution": "False",
"KillDate": 0,
"bProcInject_StartRWX": "True",
"bProcInject_UseRWX": "True",
"bProcInject_MinAllocSize": 0,
"ProcInject_PrependAppend_x86": "Empty",
"ProcInject_PrependAppend_x64": "Empty",
"ProcInject_Execute": [
"CreateThread",
"SetThreadContext",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"ProcInject_AllocationMethod": "VirtualAllocEx",
"bUsesCookies": "True",
"HostHeader": ""
}可以清晰的看到能够直接dump出来我们的配置内容。而作为红队的同学,如何去进行对抗呢?想必看到工具源码的该位置,大家就可以明白了:
就像绕过CobaltStrikeScan一样,细节只在一点而已。
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-02-02,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
相关产品与服务
内容分发网络 CDN
内容分发网络(Content Delivery Network,CDN)通过将站点内容发布至遍布全球的海量加速节点,使其用户可就近获取所需内容,避免因网络拥堵、跨运营商、跨地域、跨境等因素带来的网络不稳定、访问延迟高等问题,有效提升下载速度、降低响应时间,提供流畅的用户体验。