Maelstrom #1: An Introduction

渗透技巧 10个月前 admin

83 0 0

Throughout this series, we will be slowly building out a Command & Control Framework and discussing common implementation, IOCs, and TTPs.
在本系列中，我们将慢慢构建一个命令与控制框架，并讨论通用实现、IOC 和 TTP。

Introduction 介绍

Command & Control (C2) Frameworks are becoming increasingly more common and necessary for penetration tests, “red teaming”, and Advanced Persistent Threat (APT)s. By combining av / edr avoidance, the utility of implant control, and file CRUD (Create, Read, Update, and Delete), A C2 massively improves an operators quality of life on an engagement. This has resulted in more and more offensive tooling making its way online over the past 5 years, far more advanced and capable than its predecessors.
命令与控制（C2）框架正变得越来越普遍，对于渗透测试、“红队”和高级持续威胁（APT）来说也越来越必要。通过结合 av / edr 规避、植入物控制的效用和文件 CRUD（创建、读取、更新和删除），C2 极大地提高了操作员在参与时的生活质量。这导致在过去的 5 年里，越来越多的攻击性工具上线，比其前辈更先进、更强大。

The typical consultancy will find that they have filled the technical gap of a C2 by either buying an off-the-shelf solution or a cobbled homebrew solutions such as running metasploit with custom meterpreter droppers encoded with msfvenom or re-implementing crackmapexec and impacket functions. But what was once a point of convenience is now a point of necessity as endpoint protection has turned older methodologies into a list of blockers. As the industry balances around the convenience of delivering code and retrieving content using C2s, bad guys have been increasingly also using custom or cracked tooling for their own operations.
典型的咨询公司会发现，他们通过购买现成的解决方案或鹅卵石自制解决方案（例如使用使用 msfvenom 编码的自定义 meterpreter 滴管运行 metasploit）或重新实现 crackmapexec 和 impacket 函数来填补 C2 的技术空白。但是，曾经的便利点现在已成为必要点，因为端点保护已将旧方法转变为阻止程序列表。随着行业在使用 C2 交付代码和检索内容的便利性方面取得平衡，坏人也越来越多地使用自定义或破解工具进行自己的操作。

The Marketplace 市场

The C2 Matrix tries to track as much of the burgeoning marketplace of C2s as possible. At the time of writing 96 102 C2s are tracked. C2 Matrix’s Google Sheet shows the ambitions of the community with its varying implant languages, target Operating Systems, and UI/UX.
C2 Matrix 试图尽可能多地跟踪蓬勃发展的 C2 市场。在撰写本文时，跟踪了 96 102 个 C2。C2 Matrix 的 Google 表格通过其不同的植入语言、目标操作系统和 UI/UX 展示了社区的雄心壮志。

In looking at these C2s, we found that a lot of the heavy hitters1 had proprietary code, as they were the research projects or products of consultancies. To preserve the viability of these commercial business assets, their source code is protected. This limits the ability of defenders to identify and respond to attacks using these C2s, or C2s developed using their research, as defenders must obtain and reverse samples of the C2s implants before static detections can be written based on captured samples. Furthermore, it is only when these detections are released to the wider community (such as on VirusTotal) that everyone is protected from these cutting-edge implementations.
在研究这些 C2 时，我们发现很多重量级人物1 都有专有代码，因为它们是研究项目或咨询公司的产品。为了保持这些商业资产的可行性，它们的源代码受到保护。这限制了防御者使用这些 C2 或通过其研究开发的 C2 来识别和响应攻击的能力，因为防御者必须先获取并反转 C2s 植入物的样本，然后才能根据捕获的样本编写静态检测。此外，只有当这些检测结果发布到更广泛的社区（例如在 VirusTotal 上）时，每个人都可以免受这些尖端实施的侵害。

A number of vendors do responsibly explain their techniques, which allows defenders to infer runtime detections. Rarely, vendors share sample submissions, which allows defenders to write static detections such as YARA rules or more general AV signatures. These products are ultimately intended to improve the security of clients commissioning assessments – it doesn’t help defenders when these same tools are stolen, cracked, or purchased legitimately. In return for empowering attackers, defenders are not freely provided with a countermeasure.
许多供应商确实负责任地解释了他们的技术，这使得防御者能够推断运行时检测。供应商很少会共享示例提交，这允许防御者编写静态检测，例如 YARA 规则或更通用的 AV 签名。这些产品最终旨在提高客户调试评估的安全性 – 当这些相同的工具被盗、破解或合法购买时，它对防御者没有帮助。作为赋予攻击者权力的回报，防御者不会自由地获得对策。

Open-source and cracked closed-source C2s are widely disseminated, so are their detections. But at the cutting edge, a fog remains.
开源和破解的闭源 C2 被广泛传播，它们的检测也是如此。但在最前沿，迷雾仍然存在。

From the 2010s to 2022
从 2010 年代到 2022 年

Early C2s (see Metasploit, Armitage, Empire) acted as a simple point of convenience within a test, co-ordinating exploit delivery, and beacon management. They would vary in complexity, and operators were generally in a position to understand their operation. Prevalent exams such as OSCP focused on the basic knowledge of directly interacting with exploits and reverse shells. The required knowledge to obtain a shell using these C2s was not far beyond the required knowledge to write a custom C2. A basic working knowledge of Python or C# and some time to re-write a reverse shell would grant a beacon which would return a shell and not be detected by anti-virus.
早期的 C2（参见 Metasploit、Armitage、Empire）在测试中充当了一个简单的便利点，协调漏洞利用交付和信标管理。它们的复杂性各不相同，操作员通常能够了解其操作。OSCP 等流行的考试侧重于直接与漏洞利用和反向 shell 交互的基础知识。使用这些 C2 获得 shell 所需的知识与编写自定义 C2 所需的知识相差不远。Python 或 C# 的基本工作知识以及一些时间来重写反向 shell 将授予一个信标，该信标将返回一个 shell 并且不会被防病毒检测到。

However, the state-of-the-art has moved beyond this as C2s are now required tooling on engagements.
然而，最先进的技术已经超越了这一点，因为 C2 现在是参与时需要的工具。

As endpoint detection improves, so must the implant. As the implants improve, they must reach further into the recesses of Windows. This requires more development time, incentivising closed-source development of C2s and C2 modules to provide a return on investment. A modern C2’s internal behaviours are almost a closed box as the required knowledge to develop outstrips the required knowledge to operate them.
随着终点检测的改进，植入物也必须得到改善。随着植入物的改进，它们必须进一步伸入 Windows 的凹槽。这需要更多的开发时间，激励 C2 和 C2 模块的闭源开发，以提供投资回报。现代 C2 的内部行为几乎是一个封闭的盒子，因为开发所需的知识超过了操作它们所需的知识。

The industry entered the 2010s with workflows centring around implants as executable files dropped on disk or PowerShell scripts. Now, modern stagers include far more complex and bespoke approaches to their implants, such as environmental keying, indirect callbacks via system and web proxying, and deep packet inspection proof channels. Defenders now have to detect and respond using advanced indicators of compromise (IOC) rather than simply using signatures targeting known C2 implants.
进入 2010 年代，该行业的工作流程以植入物为中心，作为可执行文件放入磁盘或 PowerShell 脚本。现在，现代分期程序包括更复杂和定制的植入方法，例如环境键控、通过系统和 Web 代理的间接回调以及深度数据包检测证明通道。防御者现在必须使用高级入侵指标（IOC）进行检测和响应，而不是简单地使用针对已知 C2 植入物的签名。

The Goal of this Blog Series
本系列博客的目标

So with this as our background, we wanted to explore how C2s function in 2022, what evasive behavior’s are required, and what a minimum viable C2 looks like in a world of sophisticated endpoint protection.
因此，以此为背景，我们想探索 C2 在 2022 年如何运作，需要哪些规避行为，以及在复杂的端点保护世界中最小可行 C2 是什么样子。

Which gave us our goals for this blog series:
这给了我们这个博客系列的目标：

Document the internals of a minimum viable C2:
记录最小可行 C2 的内部结构：
What are the ideas behind popular C2 implementations?
流行的 C2 实现背后的想法是什么？
What are their goals and objectives?
他们的目标和目的是什么？

Analyse and implement evasive behaviors:
分析和实施规避行为：
What is required to run on a contemporary Windows system?
在现代 Windows 系统上运行需要什么？
What is required to bypass up-to-date, modern endpoint protection?
绕过最新的现代端点保护需要什么？

Produce a proof-of-concept C2:
生成概念验证 C2：
What is the minimum viable C2 for an operator in 2022?
2022 年运营商的最低可行 C2 是多少？
What is required to detect this minimum viable C2?
检测这种最小可行 C2 需要什么？

With that said, we don’t want to produce a C2 that is usable from the get-go – it’s solely useful to demonstrate behaviour. Our goal in writing is to simply discuss the concepts and review how the behaviour could be tracked; to use this example C2 offensively, you still have to learn how to code and how to act securely.
话虽如此，我们不想产生一个从一开始就可用的 C2——它只对展示行为有用。我们的写作目标是简单地讨论概念并审查如何跟踪行为;要冒犯性地使用这个例子 C2，你仍然需要学习如何编码和如何安全地行动。

Content provided within this series will require enough background knowledge to weaponise that potential users will already be able to write their own version anyway, but defenders and operators alike should hopefully find the exploration informative.
本系列中提供的内容将需要足够的背景知识来武器化，以便潜在用户无论如何都已经能够编写自己的版本，但防御者和运营商都应该希望发现探索内容丰富。

With that in mind, we’ve:
考虑到这一点，我们：

Not implemented all evasive techniques discussed.
没有实施所讨论的所有规避技术。

Provided Yara rules and uploaded samples to VirusTotal.
提供Yara规则并将样本上传到VirusTotal。

Left (deliberately!) really awkward code.
留下（故意的！）非常尴尬的代码。

What we are going to publish in this series is a discussion on the broad aspects of a C2:
我们将在本系列中讨论 C2 的广泛方面：

The architectural decisions regarding the Server and the Implant
有关服务器和植入物的架构决策

The user experience, with examples and our thoughts
用户体验，包括示例和我们的想法

Endpoint protection (as an exercise for the reader), exploring how operations can still be stymied.
端点保护（作为读者的练习），探索操作如何仍然受到阻碍。

A Static OpSec Review to look at common pitfalls implants can face.
静态 OpSec 审查，了解植入物可能面临的常见陷阱。

A Runtime OpSec Review to look at the same… but at runtime.
运行时 OpSec 审查，看看同样的…但在运行时。

Communications to and from the server and how both stealth and detections work beyond the target device.
与服务器之间的通信，以及隐身和检测如何在目标设备之外工作。

By doing this, we hope to shed light on the internals of a C2 and aid vendors in identifying gaps in their detections, as well as improving the efficacy of operators in identifying legitimate gaps in security that could be exploited by a contemporary attacker.
通过这样做，我们希望阐明 C2 的内部结构，并帮助供应商识别其检测中的漏洞，并提高运营商识别可能被当代攻击者利用的合法安全漏洞的效率。