SHARE
TWEET

Untitled

a guest Sep 18th, 2019 166 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #region Attack validations
  2. wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
  3.  
  4. Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
  5.  
  6. $CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
  7. Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
  8. $CimSession | Remove-CimSession
  9.  
  10. winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
  11. #endregion
  12.  
  13. #region Demo #1: Identify the provider DLL that implements Win32_Process Create
  14. $Class = [WmiClass] 'root/cimv2:Win32_Process'
  15.  
  16. $ProviderName = $Class.Qualifiers['Provider'].Value
  17. # Provider name: CIMWin32
  18.  
  19. $ProviderCLSID = Get-CimInstance -ClassName __Provider -Filter "Name = '$ProviderName'" | Select -ExpandProperty CLSID
  20. # Provider CLSID: {d63a5850-8f16-11cf-9f47-00aa00bf345c}
  21.  
  22. Get-ItemPropertyValue -Path "Registry::HKEY_CLASSES_ROOT\CLSID\$ProviderCLSID\InProcServer32" -Name '(default)'
  23. # Provider DLL: C:\WINDOWS\system32\wbem\cimwin32.dll
  24. #endregion
  25.  
  26.  
  27. #region Demo #2: Identify code that potentially writes to the Microsoft-Windows-WMI-Activity ETW provider
  28. filter ConvertTo-String {
  29. <#
  30. .SYNOPSIS
  31.  
  32. Converts the bytes of a file to a string.
  33.  
  34. Author: Matthew Graeber (@mattifestation)
  35. License: BSD 3-Clause
  36. Required Dependencies: None
  37. Optional Dependencies: None
  38.  
  39. .DESCRIPTION
  40.  
  41. ConvertTo-String converts the bytes of a file to a string that has a
  42. 1-to-1 mapping back to the file's original bytes. ConvertTo-String is
  43. useful for performing binary regular expressions.
  44.  
  45. .PARAMETER Path
  46.  
  47. Specifies the path to the file to convert.
  48.  
  49. .EXAMPLE
  50.  
  51. PS C:\>$BinaryString = ConvertTo-String C:\Windows\SysWow64\kernel32.dll
  52. PS C:\>$HotpatchableRegex = [Regex] '[\xCC\x90]{5}\x8B\xFF'
  53. PS C:\>$HotpatchableRegex.Matches($BinaryString)
  54.  
  55. Description
  56. -----------
  57. Converts kernel32.dll into a string. A binary regular expression is
  58. then performed on the string searching for a hotpatchable code
  59. sequence - i.e. 5 nop/int3 followed by a mov edi, edi instruction.
  60.  
  61. .NOTES
  62.  
  63. The intent of ConvertTo-String is not to replicate the functionality
  64. of strings.exe, rather it is intended to be used when
  65. performing regular expressions on binary data.
  66. #>
  67.  
  68.     [OutputType([String])]
  69.     Param (
  70.         [Parameter( Mandatory = $True,
  71.                     Position = 0,
  72.                     ValueFromPipeline = $True )]
  73.         [ValidateScript({-not (Test-Path $_ -PathType Container)})]
  74.         [String]
  75.         $Path
  76.     )
  77.  
  78.     $FileStream = New-Object -TypeName IO.FileStream -ArgumentList (Resolve-Path $Path), 'Open', 'Read'
  79.  
  80.     # Note: Codepage 28591 returns a 1-to-1 char to byte mapping
  81.     $Encoding = [Text.Encoding]::GetEncoding(28591)
  82.    
  83.     $StreamReader = New-Object IO.StreamReader($FileStream, $Encoding)
  84.  
  85.     $BinaryText = $StreamReader.ReadToEnd()
  86.  
  87.     $StreamReader.Close()
  88.     $FileStream.Close()
  89.  
  90.     Write-Output $BinaryText
  91. }
  92.  
  93. # Microsoft-Windows-WMI-Activity ETW Provider GUID
  94. # This can be obtained by running the following: logman.exe query providers
  95. $ProviderGUID = [Guid] '{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}'
  96. $ProviderGUIDRegexString = ($ProviderGUID.ToByteArray() | ForEach-Object { "\x$($_.ToString('X2'))" }) -join ''
  97. # \x04\xEF\x18\x14\xB4\xB0\x23\x46\xBF\x7E\xD7\x4A\xB4\x7B\xBD\xAA
  98. $ProviderGUIDRegex = [Regex] $ProviderGUIDRegexString
  99.  
  100. <#
  101.    Identify all PEs in System32 that contain the ETW provider GUID byte pattern
  102.    and display the offsets of the byte pattern. If the byte pattern is found,
  103.    you can take the index and convert it to a virtual address and jump right to
  104.    it in IDA. ConvertTo-String is used to convert a byte array into a string such
  105.    that there is a one-to-one byte to character correspondance, enabling binary
  106.    regex searching.
  107. #>
  108. $ProviderMatches = ls C:\Windows\System32\* -Include '*.dll', '*.sys', '*.exe' |
  109.     Where-Object { (ConvertTo-String -Path $_.FullName) -match $ProviderGUIDRegexString } |
  110.         ForEach-Object {
  111.             $RegexMatches = $ProviderGUIDRegex.Matches((ConvertTo-String -Path $_.FullName))
  112.  
  113.             [PSCustomObject] @{
  114.                 FileName = $_.FullName
  115.                 Matches = $RegexMatches
  116.             }
  117.         }
  118.  
  119. <#
  120. Matches on the following files:
  121.  
  122. * C:\Windows\System32\aitstatic.exe
  123. * C:\Windows\System32\miutils.dll
  124. * C:\Windows\System32\wbemcomn.dll
  125.  
  126. Now we need to identify the file offset so that we can then identify the VA and track it down in IDA
  127. #>
  128. #endregion
  129.  
  130.  
  131. #region Demo #3: Identify potential event log events generated after executing WMI "lateral movement"
  132.  
  133. # Log the time prior to executing the action.
  134. # This will be used as parth of an event log XPath filter.
  135. $DateTimeBefore = [Xml.XmlConvert]::ToString((Get-Date).ToUniversalTime())
  136.  
  137. #region Perform your attack here
  138. $CreateArgs = @{
  139.     Namespace = 'root/cimv2'
  140.     ClassName = 'Win32_Process'
  141.     MethodName = 'Create'
  142.     Arguments = @{ CommandLine = 'notepad.exe' }
  143. }
  144.  
  145. Invoke-CimMethod @CreateArgs
  146. #endregion
  147.  
  148. Start-Sleep -Seconds 5
  149.  
  150. # Iterate over every event log that has populated events and
  151. # has events that were generated after we noted the time.
  152. $Events = Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } | ForEach-Object {
  153.     Get-WinEvent -LogName $_.LogName -FilterXPath "*[System[TimeCreated[@SystemTime >= '$DateTimeBefore']]]" -ErrorAction Ignore
  154. }
  155.  
  156. #endregion
  157.  
  158.  
  159. #region Demo #4: Capture Microsoft-Windows-WMI-Activity ETW trace
  160.  
  161. logman start WMITrace -p Microsoft-Windows-WMI-Activity 0xFFFFFFFFFFFFFFFF 0xFF -o WMITrace.etl -ets
  162.  
  163. #region Perform your attack here
  164. $CreateArgs = @{
  165.     Namespace = 'root/cimv2'
  166.     ClassName = 'Win32_Process'
  167.     MethodName = 'Create'
  168.     Arguments = @{ CommandLine = 'notepad.exe' }
  169. }
  170.  
  171. Invoke-CimMethod @CreateArgs
  172. #endregion
  173.  
  174. logman stop WMITrace -ets
  175. tracerpt WMITrace.etl -o WMITrace.evtx -of EVTX -lr
  176.  
  177. # Interesting, relevant event IDs: 11, 12, 22, 23
  178.  
  179. Get-WinEvent -Path .\WMITrace.evtx -FilterXPath "*[System[EventID=11 or EventID=12 or EventID=22 or EventID=23 and EventID!=0]]"
  180. #endregion
  181.  
  182.  
  183. #region Demo #5: Win32_Process class cloning evasion test - i.e. attempt to evade event ID 23
  184. $Class = [WmiClass] 'Win32_Process'
  185. $NewClass = $Class.Derive('Win32_Not_A_Process')
  186. # Persist the new class to the WMI repository
  187. $NewClass.Put()
  188.  
  189. # Microsoft-Windows-WMI-Activity/Trace keyword value: 0x8000000000000000
  190. # We're not interested in Microsoft-Windows-WMI-Activity/Debug events
  191. logman start WMITrace -p Microsoft-Windows-WMI-Activity 0x8000000000000000 0xFF -o WMITrace2.etl -ets
  192.  
  193. #region Perform your attack here
  194. $CreateArgs = @{
  195.     Namespace = 'root/cimv2'
  196.     ClassName = 'Win32_Not_A_Process'
  197.     MethodName = 'Create'
  198.     Arguments = @{ CommandLine = 'notepad.exe' }
  199. }
  200.  
  201. Invoke-CimMethod @CreateArgs
  202. #endregion
  203.  
  204. logman stop WMITrace -ets
  205. tracerpt WMITrace2.etl -o WMITrace2.evtx -of EVTX -lr
  206.  
  207. Get-WinEvent -Path .\WMITrace2.evtx -FilterXPath "*[System[EventID=11 or EventID=12 or EventID=22 or EventID=23 and EventID!=0]]"
  208.  
  209. # Our evasion attempt appears to have failed because event ID 23 was still captured.
  210. #endregion
  211.  
  212.  
  213. #region Demo #6: Capture a WPP trace for WMI-related functionality
  214. # The WPP provider GUID for wbemcomn.dll and wbemcore.dll: 1ff6b227-2ca7-40f9-9a66-980eadaa602e
  215. # This demo requires the Windows SDK to be installed
  216. logman start WMIWPPTrace -p "{1ff6b227-2ca7-40f9-9a66-980eadaa602e}" 7 0xFF -ets -mode 0x8100 -rt
  217. "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\tracelog.exe" -start WMIWPPTrace -guid #1FF6B227-2CA7-40f9-9A66-980EADAA602E -rt -level 5 -flag 0x7
  218. "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\tracefmt.exe" -rt WMIWPPTrace -displayonly
  219. logman stop WMIWPPTrace -ets
  220. #endregion
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top