Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out Cobalt Strike detection method and de-feature thinking, the content is concise and easy to understand, absolutely can make you shine, through the detailed introduction of this article I hope you can gain something.

people are clouds

There are many ways to detect Cobalt Strike, and there are some articles on the Internet that will tell you how to modify the so-called eigenvalues, but these methods actually have certain misleading and blind spots.

There are several ways to find Cobalt Strike servers (simple classification, inaccurate, do not spray)

sample analysis

Zhongma Huilian

Hackers connect to the mainframe.

scan revealed

The most used here is scanning discovery. At the same time, some articles on the Internet mentioned that Cobalt Strike's default SSL/TLS certificate is fixed, so this certificate is generally used as a characteristic value to discover Cobalt Strike servers.

So, today we are mainly discussing the issue of default SSL/TLS certificates.

Certificate modification

Now let's extract information about this certificate.

According to the modification method of some articles on the Internet, we need to use keytool to modify the certificate information, as follows

Default certificates have obvious characteristics, such as

O=cobaltstrike, OU=AdvancedPenTesting, CN=Major Cobalt Strike

We take this information and search it, and we find a lot of Cobalt Strike servers.

But here ignored a question, what certificate do you modify in the end, is it used when the host is online?

This certificate is the encryption certificate used by the teamserver master (default port 50050)

After modifying this certificate, the characteristics of the teamserver master are gone.

There were people hunting C2 servers that used this rule.

For example, in fofa.so, there is a rule called

protocol=="cobaltstrike"

Of course, we can also use

cert="Major Cobalt Strike"

direct search

Here you need to pay attention to, use

cert="Major Cobalt Strike"

Search will find some hosts that are not labeled Cobalt Strike servers

(There are fish out there.

Of course, in order to ensure the timeliness of the data, it is best to add when searching fofa.so.

after="2020-01-01"

Important dividing line!!! Attention!!!

But! The certificate used for https online is not the one we modified above, and this certificate is also the default...

The certificate information is as follows:

If you want to modify this certificate, you need to modify the Malleable C2 profile

Self-signed Certificates with SSL Beacon and Valid SSL Certificates with SSL Beacon are used to modify the certificates used by https online. Self-signed Certificates with SSL Beacon are self-signed certificates. If Valid SSL Certificates with SSL Beacon are used, the certificates we set through keytool can also be used. However, what we should use here is a real certificate. Whether it is stolen or bought, it will be used up.

Let's Hunt!

Use fofa.so to search for relevant certificate information

cert="73:6B:5E:DB:CF:C9:19:1D:5B:D0:1F:8C:E3:AB:56:38:18:9F:02:4F" && after="2020-01-01"

Use censys.io to search for relevant information

443.https.tls.certificate.parsed.fingerprint_sha256:87f2085c32b6a2cc709b365f55873e207a9caa10bffecf2fd16d3cf9d94d390c

Here we can find some interesting phenomena, such as some servers port 50050 is also open, the teamserver master certificate is indeed modified, which proves that the attacker will still read the article to learn how to go to the feature, but unfortunately only modified one

Can I get all the certificates just by scanning ip? No, we also need to scan domain names, and https is not necessarily only open on port 443.

As far as we know, many people build C2 servers in a primitive way, such as building C2 servers in a cloud, will not use slb/elb to forward requests, will not use security group to control access, will not use some clever hidden C2 methods. And rotten street Domain fronting, CDN online, high reputation services and so on will not be used, is online stud a brush... It's really about saving the lives of the blue team brothers

Wait, is that all?

Detecting encrypted traffic

What do we do if all this information has been altered?

There's actually a way to detect it.

We can refer to https://github.com/salesforce/ja3 this project

A simple explanation of JA3

The JA3 method collects decimal byte values for the following fields in the Client Hello packet: version, acceptable passwords, extension list, elliptic curve cipher, and elliptic curve cipher format. It then concatenates these values together, using "," to separate fields and "-" to separate values in fields.

This is equivalent to collecting all supported TLS extensions as a feature value (JA3S about the server in addition to client-initiated ones)

This is actually a dimensionality reduction attack, and we found that most of the mainstream online sandboxes and mainstream IDS support JA3/JA3S fingerprint detection.

So that's how to think about Cobalt Strike detection and de-characterization. Have you learned anything or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.