526互联

Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

发布时间 2023-07-18 12:12:09作者: bonelee

Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

内网两台机器,操作如下:

 

我使用的是powershell 反弹shell执行:

看到的sysmon数据采集

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:00:37.856
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50782
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

 

Network connection detected:
RuleName: -
UtcTime: 2023-07-18 03:00:37.855
ProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
ProcessId: 8404
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50781
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

 

看到CS http 反弹shell c2的心跳报文是1s:

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:06:37.940
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50801
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -


Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:07:37.993
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50803
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:08:38.015
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50805
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

  

  

进程注入采集的数据:

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 02:59:37.841
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
TargetProcessId: 5152
TargetImage: C:\Windows\explorer.exe
NewThreadId: 9208
StartAddress: 0x0000000004D50000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee

 

开源检测规则:==》这尼玛地址不对,GG了!

title: CobaltStrike Process Injection

id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

references:

    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

tags:

    - attack.defense_evasion

    - attack.t1055.001

status: experimental

author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

date: 2018/11/30

modified: 2021/11/20

logsource:

    product: windows

    category: create_remote_thread

detection:

    selection:

        StartAddress|endswith:

            - '0B80'

            - '0C7C'

            - '0C88'==》检测start address

    condition: selection

falsepositives:

    - Unknown

level: high

  

再尝试注入另外一个进程计算器:

 注入成功,看下sysmon数据采集:

 

Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:19:02.356
ProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
ProcessId: 4180
Image: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50864
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -

CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:18:38.273
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
TargetProcessId: 4180
TargetImage: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
NewThreadId: 8752
StartAddress: 0x0000023C5A950000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee

  

另外,当我注入后,procexp可以看到可疑的DLL加载:

 

 

总结:

1、直接检测CreateRemoteThread API调用。

2、可疑的DLL加载。

3、可疑的网络连接(explorer.exe、记事本、calculator等)