Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

Cobalt Strike进程注入——CreateRemoteThread案例复现和检测

内网两台机器，操作如下：

 

我使用的是powershell 反弹shell执行：

看到的sysmon数据采集

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:00:37.856 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50782 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -

　

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

Network connection detected: RuleName: - UtcTime: 2023-07-18 03:00:37.855 ProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} ProcessId: 8404 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50781 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -

 

看到CS http 反弹shell c2的心跳报文是1s:

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:06:37.940 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50801 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -     Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:07:37.993 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50803 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -   Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:08:38.015 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50805 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -

　　

　　

进程注入采集的数据：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

CreateRemoteThread detected: RuleName: - UtcTime: 2023-07-18 02:59:37.841 SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} SourceProcessId: 8404 SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} TargetProcessId: 5152 TargetImage: C:\Windows\explorer.exe NewThreadId: 9208 StartAddress: 0x0000000004D50000 StartModule: - StartFunction: - SourceUser: DESKTOP-CJ1GAS4\bonelee TargetUser: DESKTOP-CJ1GAS4\bonelee

 

开源检测规则：==》这尼玛地址不对，GG了！

title: CobaltStrike Process Injection

id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42

description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

references:

    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/

tags:

    - attack.defense_evasion

    - attack.t1055.001

status: experimental

author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community

date: 2018/11/30

modified: 2021/11/20

logsource:

    product: windows

    category: create_remote_thread

detection:

    selection:

        StartAddress|endswith:

            - '0B80'

            - '0C7C'

            - '0C88'==》检测start address

    condition: selection

falsepositives:

    - Unknown

level: high

　　

再尝试注入另外一个进程计算器：

 注入成功，看下sysmon数据采集：

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:19:02.356 ProcessGuid: {d4c3f587-032d-64b6-2805-000000000200} ProcessId: 4180 Image: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50864 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -   CreateRemoteThread detected: RuleName: - UtcTime: 2023-07-18 03:18:38.273 SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} SourceProcessId: 8404 SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetProcessGuid: {d4c3f587-032d-64b6-2805-000000000200} TargetProcessId: 4180 TargetImage: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe NewThreadId: 8752 StartAddress: 0x0000023C5A950000 StartModule: - StartFunction: - SourceUser: DESKTOP-CJ1GAS4\bonelee TargetUser: DESKTOP-CJ1GAS4\bonelee

　　

另外，当我注入后，procexp可以看到可疑的DLL加载：

 

 

总结：

1、直接检测CreateRemoteThread API调用。

2、可疑的DLL加载。

3、可疑的网络连接（explorer.exe、记事本、calculator等）

 

使用threat graph将1+3结合或者1+2，检测就比较精确了。