Cobalt Strike进程注入——CreateRemoteThread案例复现和检测
Cobalt Strike进程注入——CreateRemoteThread案例复现和检测
内网两台机器,操作如下:
我使用的是powershell 反弹shell执行:
看到的sysmon数据采集
Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:00:37.856
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50782
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
Network connection detected:
RuleName: -
UtcTime: 2023-07-18 03:00:37.855
ProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
ProcessId: 8404
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50781
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
看到CS http 反弹shell c2的心跳报文是1s:
Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:06:37.940
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50801
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:07:37.993
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50803
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:08:38.015
ProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
ProcessId: 5152
Image: C:\Windows\explorer.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50805
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
进程注入采集的数据:
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 02:59:37.841
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-331d-64b5-0a01-000000000200}
TargetProcessId: 5152
TargetImage: C:\Windows\explorer.exe
NewThreadId: 9208
StartAddress: 0x0000000004D50000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee
开源检测规则:==》这尼玛地址不对,GG了!
title: CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
tags:
- attack.defense_evasion
- attack.t1055.001
status: experimental
author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
date: 2018/11/30
modified: 2021/11/20
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'==》检测start address
condition: selection
falsepositives:
- Unknown
level: high
再尝试注入另外一个进程计算器:
注入成功,看下sysmon数据采集:
Network connection detected:
RuleName: Alert,Metasploit
UtcTime: 2023-07-18 03:19:02.356
ProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
ProcessId: 4180
Image: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
User: DESKTOP-CJ1GAS4\bonelee
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.150.128
SourceHostname: DESKTOP-CJ1GAS4.localdomain
SourcePort: 50864
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.150.131
DestinationHostname: -
DestinationPort: 4444
DestinationPortName: -
CreateRemoteThread detected:
RuleName: -
UtcTime: 2023-07-18 03:18:38.273
SourceProcessGuid: {d4c3f587-ffa0-64b5-0805-000000000200}
SourceProcessId: 8404
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {d4c3f587-032d-64b6-2805-000000000200}
TargetProcessId: 4180
TargetImage: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe\Calculator.exe
NewThreadId: 8752
StartAddress: 0x0000023C5A950000
StartModule: -
StartFunction: -
SourceUser: DESKTOP-CJ1GAS4\bonelee
TargetUser: DESKTOP-CJ1GAS4\bonelee
另外,当我注入后,procexp可以看到可疑的DLL加载:
总结:
1、直接检测CreateRemoteThread API调用。
2、可疑的DLL加载。
3、可疑的网络连接(explorer.exe、记事本、calculator等)
使用threat graph将1+3结合或者1+2,检测就比较精确了。
浙公网安备 33010602011771号