首页 > 系统相关 >Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

时间:2023-07-18 12:11:13浏览次数:38  
标签:CreateRemoteThread exe false 192.168 DESKTOP CJ1GAS4 Strike d4c3f587 Cobalt

Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

内网两台机器,操作如下:

 

我使用的是powershell 反弹shell执行:

看到的sysmon数据采集

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:00:37.856
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50782
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

 

Network connection detected:
RuleName: -
UtcTime: 2023-07-18 03:00:37.855
ProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
ProcessId: 8404
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50781
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

 

看到CS http 反弹shell c2的心跳报文是1s:

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:06:37.940
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50801
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -


Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:07:37.993
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50803
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:08:38.015
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50805
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

  

  

进程注入采集的数据:

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 02:59:37.841
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
TargetProcessId: 5152
TargetImage: C:\Windows\explorer.exe
NewThreadId: 9208
StartAddress: 0x0000000004D50000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee

 

开源检测规则:==》这尼玛地址不对,GG了!

title: CobaltStrike Process Injection

id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

references:

    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

tags:

    - attack.defense_evasion

    - attack.t1055.001

status: experimental

author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

date: 2018/11/30

modified: 2021/11/20

logsource:

    product: windows

    category: create_remote_thread

detection:

    selection:

        StartAddress|endswith:

            - '0B80'

            - '0C7C'

            - '0C88'==》检测start address

    condition: selection

falsepositives:

    - Unknown

level: high

  

再尝试注入另外一个进程计算器:

 注入成功,看下sysmon数据采集:

 

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:19:02.356
ProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
ProcessId: 4180
Image: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50864
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:18:38.273
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
TargetProcessId: 4180
TargetImage: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
NewThreadId: 8752
StartAddress: 0x0000023C5A950000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee

  

另外,当我注入后,procexp可以看到可疑的DLL加载:

 

 

总结:

1、直接检测CreateRemoteThread API调用。

2、可疑的DLL加载。

3、可疑的网络连接(explorer.exe、记事本、calculator等)

 

标签:CreateRemoteThread,exe,false,192.168,DESKTOP,CJ1GAS4,Strike,d4c3f587,Cobalt
From: https://www.cnblogs.com/bonelee/p/17562571.html

相关文章

  • 【渗透测试】利用Cobalt Strike渗透Windows
    目标在kali中使用CobaltStrike对Windows进行渗透机器环境kali(服务端):192.168.175.129win11(攻击机):192.168.175.128win11(靶机):192.168.175.137步骤一、安装CobaltStrike将压缩包解压unrarx./CobaltStrike4_8_lusuo.rar进入解压后的Server文件夹,赋予文件执行......
  • 【计数,DP】CF1081G Mergesort Strikes Back
    ProblemLink现有一归并排序算法,但是算法很天才,设了个递归深度上限,如果递归深度到达\(k\)则立即返回。其它部分都和正常归并排序一样,递归中点是\(\lfloor(l+r)/2\rfloor\),归并每次取两边较小者加入结果。给定\(n,k\),求用这个算法对一个均匀随机的排列\(p\)排序后,\(p\)......
  • VirtualAllocEx;WriteProcessMemory;CreateRemoteThread
    /*structStrParam{ HWNDhPwdEdit; unsignedintnLenth; char*buff;};//计算器为目标进程。staticDWORDWINAPIMyFunc(LPVOIDpData){//dosomething StrParam*param=(StrParam*)pData; HWNDhPwdEdit=param->hPwdEdit; char*buff=param->buff; ......
  • Cobalt Strike 连接启动教程,制作图片
    扫描有两种方式:arp和icmp 查看进程列表攻击----生成后门-----Payload可以生成各类语言免杀牧马---(输出:选择C或者python或者php)go.咕.com生成c语言的payload,复制里面双引号里面的代码,粘贴到go.咕.com输入窗口点击生成:上面两个下载内容1.34MB和 加了壳的522.00......
  • Cobalt Strike 连接启动教程(1)
     第一步:把cobaltstrike4(解压后)拷贝到虚拟机Kali系统的root目录下 第二步:进入cobalstrike4文件夹中 第三步:选寻kali系统IP地址  第四步:启动服务端:(test为待会靶机连接服务器的密码)(如果这里显示没有权限,运行这行命令:csmod  777)./teamserver192.168.13.117......
  • cobalt strike
        ......
  • 最新Cobalt strike 4.8(专业版)([*] Generating X509 certificate and keystore (for SSL
    ColbaltStrike搭建和使用 下载: https://anonfiles.com/eay1D0rfzc/CobaltStrike4_8_lusuo_rar解压(如有)密码:lusuokali中: ┌──(root㉿kali)-[~]└─#unrarxCobaltStrike4_8_lusuo.rar    以kali为服务端打开 报错是因为没给可执行权限......
  • CobaltStrike WebServer 4.4 特征分析
    WebServer特征本文简单介绍了CobaltStike4.4版本的一些特征以及缓解措施。webserver处理逻辑漏洞请求状态码异常正常的服务器对于uri的开头不为/的情况,一般都会产生4......
  • Cobaltstrike —— shellcode分析(一)
    前言搞iot搞久了,换个方向看看,改改口味。所以决定分析一下Cobaltstrike——shellcode,顺便还可以提高一下逆向能力。windows常见结构体在分析Cobaltstrike-shellcode之......
  • CobaltStrike启动和解决打不开的问题
    情况:我想用kali,虚拟机打开CobaltStrike,但是经过正常操作却打不开,后来,换了想要的用户名和密码(没用默认的neo),就打开了整个正常操作(成功)1.在安装了CS的目录下......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99