Cobalt Strike进程注入——CreateRemoteThread案例复现和检测
Cobalt Strike进程注入——CreateRemoteThread案例复现和检测
内网两台机器,操作如下:
我使用的是powershell 反弹shell执行:
看到的sysmon数据采集
Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:00:37.856 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50782 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -
Network connection detected: RuleName: - UtcTime: 2023-07-18 03:00:37.855 ProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} ProcessId: 8404 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50781 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -
看到CS http 反弹shell c2的心跳报文是1s:
Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:06:37.940 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50801 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: - Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:07:37.993 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50803 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: - Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:08:38.015 ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} ProcessId: 5152 Image: C:\Windows\explorer.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50805 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: -
进程注入采集的数据:
CreateRemoteThread detected: RuleName: - UtcTime: 2023-07-18 02:59:37.841 SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} SourceProcessId: 8404 SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200} TargetProcessId: 5152 TargetImage: C:\Windows\explorer.exe NewThreadId: 9208 StartAddress: 0x0000000004D50000 StartModule: - StartFunction: - SourceUser: DESKTOP-CJ1GAS4\bonelee TargetUser: DESKTOP-CJ1GAS4\bonelee
开源检测规则:==》这尼玛地址不对,GG了!
title: CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
tags:
- attack.defense_evasion
- attack.t1055.001
status: experimental
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2021/11/20
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'==》检测start address
condition: selection
falsepositives:
- Unknown
level: high
再尝试注入另外一个进程计算器:
注入成功,看下sysmon数据采集:
Network connection detected: RuleName: Alert,Metasploit UtcTime: 2023-07-18 03:19:02.356 ProcessGuid: {d4c3f587-032d-64b6-2805-000000000200} ProcessId: 4180 Image: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe User: DESKTOP-CJ1GAS4\bonelee Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.150.128 SourceHostname: DESKTOP-CJ1GAS4.localdomain SourcePort: 50864 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.150.131 DestinationHostname: - DestinationPort: 4444 DestinationPortName: - CreateRemoteThread detected: RuleName: - UtcTime: 2023-07-18 03:18:38.273 SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200} SourceProcessId: 8404 SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetProcessGuid: {d4c3f587-032d-64b6-2805-000000000200} TargetProcessId: 4180 TargetImage: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe NewThreadId: 8752 StartAddress: 0x0000023C5A950000 StartModule: - StartFunction: - SourceUser: DESKTOP-CJ1GAS4\bonelee TargetUser: DESKTOP-CJ1GAS4\bonelee
另外,当我注入后,procexp可以看到可疑的DLL加载:
总结:
1、直接检测CreateRemoteThread API调用。
2、可疑的DLL加载。
3、可疑的网络连接(explorer.exe、记事本、calculator等)
使用threat graph将1+3结合或者1+2,检测就比较精确了。