<title></title> CS学习记录-探测&提取配置Beacon是Cobalt¨NBSP;Strike运⾏在⽬标主机上的payload,Beacon在隐蔽信道上我们提供服务,⽤于⻓期控制受感染主机。 它的⼯作⽅式与Metasploit Framework Payload类似。在实际渗透过程中,我们可以将其嵌⼊到可执⾏⽂件、添加到Word⽂档或者通过利⽤主机漏洞来传递Beacon。 https://cobalt-strike.github.io/community_kit/ <https://cobalt-strike.github.io/community_kit/> Cobalt Strike 服务器附带⼀个默认证书,显示序列号、发⾏者、主题和证书有效性的特定值,如下所示。 Default cert: ssl.cert.serial:146473198 https://www.shodan.io/search?query=ssl.cert.serial%3A146473198 <https://www.shodan.io/search?query=ssl.cert.serial%3A146473198> 如果它们没有被攻击者修改,则可以使⽤ shodan 请求轻松发现这些服务器。在撰写本⽂时,有800+ 台服务器与此证书序列号匹配。Cobalt Strike介绍 Beacon是什么 ⼯具包发现C&C服务器 默认证书https://www.shodan.io/host/103.153.138.248 <https://www.shodan.io/host/103.153.138.248> 对于3.13 <https://download.cobaltstrike.com/releasenotes.txt> 之前的 Cobalt Strike 版本,http 响应在 http 状态的末尾显示⼀个⽆关的空格。⽂档介绍https://trial.cobaltstrike.com/help-malleable-c2 <https://trial.cobaltstrike.com/help-malleable-c2> 根据⼤量的malleable C2 profile编写查询。示例使⽤微软更新malleable C2 profile⽂件来检测团队服务器的查询。此资料可以使⽤www[.]windowsupdate.com,伪装成⼀个合法的微软证书证书。 https://github.com/bluscreenofjeff/Malleable-C2-Randomizer/blob/master/Sample%20Templates/microsoftupdate_getonly.profile <https://github.com/bluscreenofjeff/Malleable-C2-Randomizer/blob/master/Sample%20Templates/microsoftupdate_getonly.profile> ssl.cert.subject.cn:"www.windowsupdate.com" HTTP 响应 malleable C2 profile Top 10 JARM fingerprints https://github.com/carbonblack/active_c2_ioc_public/blob/main/cobaltstrike/JARM/jarm_cs_202107_uniq_sorted.txt <https://github.com/carbonblack/active_c2_ioc_public/blob/main/cobaltstrike/JARM/jarm_cs_202107_uniq_sorted.txt> JARM(TLS 指纹识别) https://www.shodan.io/search?query=ssl.jarm%3A07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2 <https://www.shodan.io/search?query=ssl.jarm%3A07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2> 00014d16d21d21d00042d41d00041df1e57cd0b3bf64d18696fb4fce05661000014d16d21d21d07c42d41d00041d47e4e0ae17960b2a5b4fd6107fbb092605d02d16d04d04d05c05d02d05d04d4606ef7946105f20b303b9a05200e82905d02d20d21d20d05c05d02d05d20dd7fc4c7c6ef19b77a4ca0787979cdc1305d13d20d21d20d05c05d13d05d20dd7fc4c7c6ef19b77a4ca0787979cdc1307d00016d21d21d00042d41d00041df1e57cd0b3bf64d18696fb4fce05661007d0bd0fd06d06d07c07d0bd07d06d9b2f5869a6985368a9dec764186a917507d0bd0fd21d21d07c07d0bd07d21d9b2f5869a6985368a9dec764186a917507d13d15d21d21d07c07d13d07d21dd7fc4c7c6ef19b77a4ca0787979cdc1307d14d16d21d21d00007d14d07d21d3fe87b802002478c27f1c0da514dbf8007d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb092607d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c207d14d16d21d21d07c07d14d07d21d4606ef7946105f20b303b9a05200e82907d14d16d21d21d07c07d14d07d21d9b2f5869a6985368a9dec764186a917507d14d16d21d21d07c07d14d07d21dee4eea372f163361c2623582546d06f807d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb107d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b5307d14d16d21d21d07c42d43d00041d24a458a375eef0c576d23a7bab9a9fb107d19d1ad21d21d00007d19d07d21d25f4195751c61467fa54caf42f4e2e6115d15d15d3fd15d00042d42d00042d1279af56d3d287bbc5d38e226153ba9e15d3fd16d21d21d00042d43d000000fe02290512647416dcf0a400ccbc0b6b15d3fd16d29d29d00015d3fd15d29d1f9d8d2d24bf6c1a8572e99c89f1f5f015d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b015d3fd16d29d29d00042d43d000000fbc10435df141b3459e26f69e76d594715d3fd16d29d29d00042d43d000000fe02290512647416dcf0a400ccbc0b6b16d16d16d00000022c43d43d00043d370cd49656587484eb806b90846875a01dd28d28d00028d00042d41d00041df1e57cd0b3bf64d18696fb4fce0566101dd28d28d00028d1dc1dd28d1dd28d3fe87b802002478c27f1c0da514dbf8021b10b00021b21b21b21b10b21b21b3b0d229d76f2fd7cb8e23bb87da38a2021d10d00021d21d21c21d10d21d21d696c1bb221f80034f540b6754152d3b821d19d00021d21d21c42d43d000000624c0617d7b1f32125cdb5240cd23ec929d29d00029d29d00029d29d29d29de1a3c0d7ca6ad8388057924be83dfc6a29d29d00029d29d08c29d29d29d29dcd113334714fbefb4b0aba4000bcef6229d29d00029d29d21c29d29d29d29dce7a321e4956e8298ba917e9f2c2284929d29d15d29d29d21c29d29d29d29d7329fbe92d446436f2394e041278b8b22ad00016d2ad2ad22c42d42d00042ddb04deffa1705e2edc44cae1ed24a4da2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a2ad2ad0002ad2ad00042d42d000000301510f56407964db9434a9bb0d4ee4a2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a72ad2ad0002ad2ad22c2ad2ad2ad2ad6a7bd8f51d54bfc07e1cd34e5ca50bb32ad2ad0002ad2ad22c2ad2ad2ad2adce7a321e4956e8298ba917e9f2c228492ad2ad16d2ad2ad00042d42d00042ddb04deffa1705e2edc44cae1ed24a4da2ad2ad16d2ad2ad22c42d42d00042d58c7162162b6a603d3d90a2b76865b532ad2ad16d2ad2ad22c42d42d00042de4f6cde49b80ad1e14c340f9e47ccd3a3fd3fd15d3fd3fd00042d42d00000061256d32ed7779c14686ad100544dc8d3fd3fd15d3fd3fd21c3fd3fd3fd3fdc110bab2c0a19e5d4e587c17ce497b153fd3fd15d3fd3fd21c42d42d0000006f254909a73bf62f6b28507e9fb451b51234567891011121314151617181920212223242526272829303132333435363738394041424344454647Plain Text复制代码https://github.com/whickey-r7/grab_beacon_config <https://github.com/whickey-r7/grab_beacon_config> ⽔印对每个客户端来说是独⼀⽆⼆的,有时可以关联特定的威胁组织。 最常⻅的⽔印是 0。⽔印 0 表示 Cobalt Strike 的破解版本,威胁参与者在他们的活动中通常使⽤这些版本。更有趣的是 305419896、1359593325 和 1580103814,它们的配置数都在 100 以上。 Nmap 常⻅的⽔印⽔印 305419896 已与 Maze 勒索软件相关联:https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/ <https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/> /submit.php /jquery-3.3.2.min.js 除了部署在团队服务器本身上的SSL证书外,信标还与⼀个额外的SSL公钥捆绑在⼀起。这是公钥/私钥对的⼀部分,每当有⼈安装CobalteStrike时,服务器上就会⽣成公钥/私钥对。公钥随后嵌⼊在同⼀服务器上⽣成并⽤于C2签到。需要注意的是,此密钥对与团队服务器上⽤于HTTPS证书的SSL密钥对完全不同。与⽔印不同,存储在Beacon配置中的SSL公钥提供了⼀种聚集信标的⽅法。我们实际上可以保证每个团队服务器安装的密钥是唯⼀的,但它们经常会被重⽤,例如通过虚拟机重新部署。在⼀些情况下,攻击者使⽤单个团队服务器来配置从其控制范围内的其他服务器部署的有效负载,这使得我们可以发现、跟踪和监控他们的基础设施。总的来说,37%的信标提供了前5个SSL公钥。有⼏个最受欢迎的密钥属于APT组织。 当从订阅或OSINT源收集的Beacon IP时,通常可以找到⼀些共享同⼀个SSL公钥的信标。这种情况下,除⾮产⽣与基础设施相关的进⼀步的IP地址和情报,否则可能是不相关的。利⽤这种集群技术对扩展C2基础设施的情报⾮常有帮助。它帮助我们找到了各种组织和攻击活动之间的联系,包括⽬前活跃的和历史活跃的。 https://www.shodan.io/search?query=server.publickey_md5%3A+defb5d95ce99e1ebbf421a1a38d9cb64 <https://www.shodan.io/search?query=server.publickey_md5%3A+defb5d95ce99e1ebbf421a1a38d9cb64> server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 常⻅的URI ●●ssl public keys 已知威胁组织使⽤的⼏个流⾏的SSL公钥包括: defb5d95ce99e1ebbf421a1a38d9cb64e9ae865f5ce035176457188409f6020a81a3eeb8ceb74cf508f6bcfc408e030579b6e333634c506f6f710dde179796ed1186914578623be126e5f3e8c058d7198ac540617dddcdf575f6dc207abb7344f61884abc8f4ba7a0caa288b326a70ee94a0ea78a00b04d14d25e55dacba3ac3c4fdbd072a73ab1b9087f716d53998070ce7b6482c1f24e42f2935f5026d338d12345678910常⻅的公钥md5JSON复制代码MD5 Beacon数量 组织1186914578623be126e5f3e8c058d719 1412 MAN1 8ac540617dddcdf575f6dc207abb7344 1318 DoppelPaymer f61884abc8f4ba7a0caa288b326a70ee 621 Kegtap 0ce7b6482c1f24e42f2935f5026d338d 257 TA575/Dridex b3e6b9dd84dae6be68cb40cda4366b77 23 APT41 e9ae865f5ce035176457188409f6020adefb5d95ce99e1ebbf421a1a38d9cb6479b6e333634c506f6f710dde179796ed58c3c0a918d473ecd9f39285d17379efc4fdbd072a73ab1b9087f716d5399807c9e300c118949adc574287b2a1264ec5c2897b1cf5ecaee579935f2a31cd35a90ce7b6482c1f24e42f2935f5026d338d8ccc9bf8410deef2f2008cde472662a513eb42adf1b78ea4e1ac3c87b4e3dd5612345678910前⼗⼤SSL公钥md5JSON复制代码绝⼤多数从Beacon配置集合中提取的SSL公钥,能与已有的数据库的⼀个或多个Beacon集群。 基于DNS响应对团队服务器进⾏指纹识别的⽅法:Detecting Exposed Cobalt Strike DNS Redirectors:https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors/ <https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors/> 从shodan中搜索Beacon的IP,并保存到本地,⻅下节。 绝⼤部分信标被配置为使⽤0.0.0.0作为DNS空闲IP。正如F-Secure的研究⼈员所提到的,0.0.0.0 DNS空闲值是默认值,不应该在⽣产环境中使⽤。因此,我们可以在a记录中探测DNS服务器上的0.0.0.0响应,这可以作为在野外识别团队服务器的另⼀种可靠机制。 Cobalt Strike DNS 重定向 from scapy.all import *from scapy.layers.dns import DNSRR, DNS, DNSQRfrom scapy.layers.inet import IP, UDPcdef checkDNS(name): ip = name try: ans = sr1(IP(dst=ip)/UDP(sport=RandShort(), dport=53)/DNS(rd=1,qd=DNSQR(qname="google.com",qtype="TXT")), verbose=False, timeout=0.5) ansTXT = ans[DNSRR][0].rdata ans = sr1(IP(dst=ip)/UDP(sport=RandShort(), dport=53)/DNS(rd=1,qd=DNSQR(qname="amazon.com",qtype="A")), verbose=False, timeout=0.5) ansA1 = ans[DNSRR][0].rdata ans = sr1(IP(dst=ip)/UDP(sport=RandShort(), dport=53)/DNS(rd=1,qd=DNSQR(qname="google.com",qtype="A")), verbose=False, timeout=0.5) ansA2 = ans[DNSRR][0].rdata if ansTXT == ansA1 and ansA1 == ansA2 and ansA2 != '' and valid_ip(ansA1): print("[+] Cs Detected: " + ip + " replied with: " + ansTXT) except Exception as e: pass def nslookup(target: str) -> None: DNS_PORT = 53 DNS_SERVER = "8.8.8.8" msg = IP(dst=DNS_SERVER) / UDP(dport=DNS_PORT) / DNS(rd=1, qd=DNSQR(qname=target)) ans = sr1(msg, verbose=0) print(ans[DNSRR].rdata) if __name__ == '__main__': #name = "49.232.161.221" #checkDNS(name) #nslookup("google.com") with open("cobalt.txt", 'r', encoding='UTF-8', errors='ignore') as f: while True: line = f.readline() if not line: break checkDNS(line.strip())123456789101112131415161718192021222324252627282930313233343536checkDNS.pyPython复制代码这些信息有助于监控⽹络出⼝点的DNS请求,以确定信标DNS活动的迹象,以及利⽤DNS C2流量帮助内存有效负载的取证调查。 https://www.shodan.io/search?query=product%3A%22Cobalt+Strike+Beacon%22 <https://www.shodan.io/search?query=product%3A%22Cobalt+Strike+Beacon%22> C2 开源情报 Shodan > pip install shodan> shodan init YOUR_API_KEY> shodan search --fields ip_str,port,org,hostnames server.publickey_md5: defb5d95ce99e1ebbf421a1a38d9cb64 101.43.208.122 80 Tencent Cloud Computing (Beijing) Co., Ltd110.42.159.151 443 Tencent cloud computing (Beijing) Co., Ltd.101.43.208.122 8443 Tencent Cloud Computing (Beijing) Co., Ltd147.78.47.231 443 M Nets SAL undefined.hostname.localhost31.44.184.187 443 Petersburg Internet Network ltd.39.109.68.117 443 HONG KONG BRIDGE INFO-TECH LIMITED47.96.120.47 80 Aliyun Computing Co., LTD116.204.211.180 805.199.162.174 80 UAB Cherry Servers49.232.161.221 443 Tencent cloud computing (Beijing) Co., Ltd.5.199.162.174 443 UAB Cherry Servers81.71.133.220 80 Tencent Cloud Computing (Beijing) Co., Ltd103.146.179.94 443 HONGKONG NEWS COMMENTARY AGENCY CO. ,LIMITED117.50.37.182 80 Shanghai UCloud Information Technology Company Limited103.146.179.94 80 HONGKONG NEWS COMMENTARY AGENCY CO. ,LIMITED31.44.184.73 80 Petersburg Internet Network ltd.120.53.232.55 443 Shandong Servsd Technology Co. Ltd.82.156.29.211 9999 Tencent Cloud Computing (Beijing) Co., Ltd193.201.9.199 443 Infolink LLC31.44.184.187 8080 Petersburg Internet Network ltd.121.41.89.180 443 Aliyun Computing Co., LTD124.222.177.70 82 Tencent cloud computing (Beijing) Co., Ltd.47.98.164.231 443 Aliyun Computing Co., LTD31.44.184.232 80 Petersburg Internet Network ltd.101.43.208.122 443 Tencent Cloud Computing (Beijing) Co., Ltd81.71.133.220 443 Tencent Cloud Computing (Beijing) Co., Ltd31.44.184.187 80 Petersburg Internet Network ltd.175.24.62.158 4443 Tencent cloud computing (Beijing) Co., Ltd.103.146.179.94 4433 HONGKONG NEWS COMMENTARY AGENCY CO. ,LIMITED110.42.159.151 8080 Tencent cloud computing (Beijing) Co., Ltd.31.44.184.84 443 Petersburg Internet Network ltd.116.204.211.180 443123456789101112131415161718192021222324252627282930313233343536Bash复制代码https://community.riskiq.com/search/components/Command%20and%20Control%20Server/Cobalt%20Strike/ <https://community.riskiq.com/search/components/Command%20and%20Control%20Server/Cobalt%20Strike/> https://quake.360.cn/quake/#/searchResult?searchVal=app%3A%22CobaltStrike%22&selectIndex=quake_service&ignore_cache=false&timeRange=2021-08-25%2000%3A00%3A00&timeRange=2022-08-25%2000%3A00%3A00&t=1661392013192 <https://quake.360.cn/quake/#/searchResult?searchVal=app%3A%22CobaltStrike%22&selectIndex=quake_service&ignore_cache=false&timeRange=2021-08-25%2000%3A00%3A00&timeRange=2022-08-25%2000%3A00%3A00&t=1661392013192> riskiq 360quake https://github.com/fox-it/cobaltstrike-beacon-data <https://github.com/fox-it/cobaltstrike-beacon-data> Beacon Config 收集 beacon config 部分字段解读 SleepTime { "BeaconType": ["HTTP"], "Port": 81, "SleepTime": 450000, "MaxGetSize": 1048576, "Jitter": 37, //⼼跳存在 37% * 450000毫秒(166500毫秒)的随机抖动,⼼跳间隔可能在毫秒283000之间450000 (4.7 - 7.5 分钟) "MaxDNS": "Not Found", "PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmmpL6y1jDqhxvFx5mTgprRUYNG2IchQmPW05GBhd5Gp0HhuY3JH7lfcecW6pYLjDCx6WYubVwWY1mHj7+Ae8zbrhWVtlAlMcZOSpZqmqrJ03JS1B7grZsbcsfCptHZF+cTl4THGSfloBm2AsqNVN/93Y/6l8gt8YVauRlDbBzowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", //Cobalt Strike TeamServer 使⽤该字段来加密服务器和信标之间的通信。这与使⽤浏览器或数据传输库(如curl)访问C2域时使⽤的普通TLS证书不同。 此字段值得注意,因为TeamServer对每个信标使⽤相同的公钥,因此此字段在将信标与Teamserver服务器聚类时很有价值,因为威胁参与者经常使⽤同⼀个TeamServer进⾏多个活动,因此配置中的这些数据可以⽤于将威胁组织关联到多个活动和基础设施。 "PublicKey_MD5": "fe1a19bb796adc7029eac04bc5d07139", "C2Server": "8.142.124.166,/j.ad", "UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Metadata": { "ConstHeaders": [], "ConstParams": [], "Metadata": ["base64", "header \"Cookie\""], "SessionId": [], "Output": [] }, "HttpPost_Metadata": { "ConstHeaders": ["Content-Type: application/octet-stream"], "ConstParams": [], "Metadata": [], "SessionId": ["parameter \"id\""], "Output": ["print"] }, "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found",123456789101112131415161718192021222324252627282930313233343536JSON复制代码 "SleepTime": 450000, "Jitter": 37, ⼼跳存在 37% * 450000毫秒(166500毫秒)的随机抖动,⼼跳间隔可能在毫秒283000之间450000 (4.7 - 7.5 分钟) "ProcInject_Stub": "BOChG+WRR6jXPSs+n+qDLA==", stub字段:Cobalt Strike Jar包的⽂件MD5值,经Base64编码。 最后,我们可以通过访问https://verify.cobaltstrike.com/ <https://verify.cobaltstrike.com/> ,并搜索哈希来使⽤ CobaltStrike 验证 SHA256 哈希以识别 Jar包的版本 。 ProcInject_Stub Watermark(license_id) ⽔印, 9 位值的唯⼀许可证,虽然可以修改此值,但它仍然可以与process-inject.stub和publickey字段(上⾯讨论过)结合使⽤,以集群基础设施和活动组织。CobaltStrikeParser解析名为Watermark libcsce解析名为license_id,0代表破解版 ●●获取stage #!/usr/bin/python3 import requestsimport rstrimport sysimport urllib3 if len(sys.argv) < 2: print("Usage: %s http[s]://<server_address>" % (sys.argv[0])) sys.exit(1) url = sys.argv[1] urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)headers = {"User-Agent":""} def generate_checksum8_uri(arch): # x86 = 92 # x64 = 93 value = 0 while value != arch: rand = rstr.xeger(r'[A-Za-z0-9]{4}') value = (sum([ord(ch) for ch in rand]) % 0x100) return "/" + str(rand) def get_shellcode(url,uri): f_url = url + uri try: resp = requests.get(f_url, timeout=5, headers=headers, verify=False) except requests.exceptions.RequestException as e: print('[!] Connection error %s' % (e)) sys.exit(1) if(resp.status_code==200): print('[+] Got response from %s' % (url))123456789101112131415161718192021222324252627282930313233343536get_x86_stagePython复制代码以如下指令开始:FC->cld指令,将标志寄存器Flag的⽅向标志位DF清零。 E8->call指令 stageless⽅式上线的shellcode或者beacon⽂件,能够利⽤CobaltStrikeParser提取配置(Staged 和 Stageless 的区别. 前者的实际功能只是和 C2 建⽴连接并接收 Payload, 然后加载执⾏, ⽽ Stageless 直接省去了接收 Payload 的步骤. Stageless ⽣成除了的 Payload 都会⽐ Staged 类型的要⼤很多, ⽽且包含了特征明细)。https://github.com/Sentinel-One/CobaltStrikeParser <https://github.com/Sentinel-One/CobaltStrikeParser> shellcode特征 beacon配置提取 PS E:\cs_beacon_conf> python .\get_x86_stage.py http://8.142.124.166:81[+] Generating x86 check8 uri[+] Making request to suspected C2 server[+] Got response from http://8.142.124.166:81[+] Response written to /out, response might be shellcode12345Bash复制代码%E%E%A%E%B%B%%E%F%%E%F%%E%%D%E%BD%AE%%C%Cobalt%其他⼯具:https://github.com/strozfriedberg/cobaltstrike-config-extractor <https://github.com/strozfriedberg/cobaltstrike-config-extractor> https://www.anquanke.com/post/id/224535 <https://www.anquanke.com/post/id/224535> https://www.blackberry.com/us/en/forms/enterprise/ebook-beacons-in-the-dark <https://www.blackberry.com/us/en/forms/enterprise/ebook-beacons-in-the-dark> 引⽤链接PS E:\tools\CobaltStrikeParser-master\CobaltStrikeParser-master\samples> python ..\parse_beacon_config.py --json .\8.142.124.166.shellcode{"BeaconType": ["HTTP"], "Port": 81, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "MaxDNS": "Not Found", "PublicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmmpL6y1jDqhxvFx5mTgprRUYNG2IchQmPW05GBhd5Gp0HhuY3JH7lfcecW6pYLjDCx6WYubVwWY1mHj7+Ae8zbrhWVtlAlMcZOSpZqmqrJ03JS1B7grZsbcsfCptHZF+cTl4THGSfloBm2AsqNVN/93Y/6l8gt8YVauRlDbBzowIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==", "PublicKey_MD5": "fe1a19bb796adc7029eac04bc5d07139", "C2Server": "8.142.124.166,/j.ad", "UserAgent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Metadata": {"ConstHeaders": [], "ConstParams": [], "Metadata": ["base64", "header \"Cookie\""], "SessionId": [], "Output": []}, "HttpPost_Metadata": {"ConstHeaders": ["Content-Type: application/octet-stream"], "ConstParams": [], "Metadata": [], "SessionId": ["parameter \"id\""], "Output": ["print"]}, "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "PipeName": "Not Found", "DNS_Idle": "Not Found", "DNS_Sleep": "Not Found", "SSH_Host": "Not Found", "SSH_Port": "Not Found", "SSH_Username": "Not Found", "SSH_Password_Plaintext": "Not Found", "SSH_Password_Pubkey": "Not Found", "SSH_Banner": "", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Config": "Not Found", "Proxy_User": "Not Found", "Proxy_Password": "Not Found", "Proxy_Behavior": "Use IE settings", "Watermark": 100000, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "ProcInject_Stub": "BOChG+WRR6jXPSs+n+qDLA==", "bUsesCookies": "True", "HostHeader": "", "smbFrameHeader": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "tcpFrameHeader": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "headersToRemove": "Not Found", "DNS_Beaconing": "Not Found", "DNS_get_TypeA": "Not Found", "DNS_get_TypeAAAA": "Not Found", "DNS_get_TypeTXT": "Not Found", "DNS_put_metadata": "Not Found", "DNS_put_output": "Not Found", "DNS_resolver": "Not Found", "DNS_strategy": "round-robin", "DNS_strategy_rotate_seconds": -1, "DNS_strategy_fail_x": -1, "DNS_strategy_fail_seconds": -1}PS E:\tools\CobaltStrikeParser-master\CobaltStrikeParser-master\samples> python ..\parse_beacon_config.py --json .\8.142.124.166.shellcode > .\8.142.124.166.shellcode.conf123Bash复制代码
点击关注,共同学习!
安全狗的自我修养