未加星标

Removing Backdoors Powershell Empire Edition

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二05 | 时间 2017 | 作者 红领巾 ] 0人收藏点击收藏

Removing Backdoors   Powershell Empire Edition

I’m a big fan of Powershell Empire for penetration testing. If you haven’t head of it, it is a post-exploitation framework which uses powershell agents to run post-exploitation scripts on a target system. This blog post is meant to address a small subset of the modules, in particular the persistence modules.

The purpose of persistence modules are so that you could keep access to the compromised host. Some methods are able to persist through reboots, which can persist much longer than memory only methods. The negative for attackers however is that in order to persist through a reboot some data must be written to disk. This leaves artifacts that defenders can find or security tools can detect.

I’ve created a simple tool to identify Powershell Empire persistence artifacts. It is called NorkNork , and it is available on my Github. It currently searches for these methods:

Scheduled Tasks Auto-run WMI subscriptions Security Support provider Ease of Access Center backdoors Machine account password disable

In this post we will go through each finding and explain how to disable it.

Userland

I will start with the userland persistence methods. These methods can be executed on a target without administrative access.

Running NorkNork we get three important pieces of output.


Removing Backdoors   Powershell Empire Edition

NorkNork found a malicious scheduled task and provides information on the name and the command that is ran. We can see that it is named “Updater” and it contains a command to execute a powershell command. We can verify this by running

schtasks /query /V

on the command line or or by opening up the Task Scheduler. Using the GUI is likely the easiest way to remove this, so all you need to do is select the task and click the “Delete” button on the right-hand pane or by right clicking and selecting “delete”.


Removing Backdoors   Powershell Empire Edition

The next finding is evidence of run keys in the windows registry. If you are not familiar with these, a more detailed description is here .


Removing Backdoors   Powershell Empire Edition

Since this is an unprivileged key, we can find it at: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To remove it, open regedit and drill down to the path where the run key is stored.


Removing Backdoors   Powershell Empire Edition

Right click on the key and click “Delete”. You may have noticed the command in the powershell script and realized what it does. As you can see, it executes a command in powershell that is stored in a variable named “x”. The value of “x” is stored within a registry key. The command gives us the location of the registry key. NorkNork will automatically enumerate the default key location and decode to content of the payload as seen below.


Removing Backdoors   Powershell Empire Edition
This information has value to defenders as it exposes the IP of the Empire server. It also shows the user-agent of the stager. Defenders can use this information to identify other agents throughout their network. To remove the payload delete it in the same way you did the run key.

Elevated

The elevated modules assume that the attacker has obtained administrative privileges. Much like the userland version, run keys can be used to automatically start an Empire stager. The difference is instead of storing the key under HKEY_CURRENT_USER, it is stored under HKEY_LOCAL_MACHINE.


Removing Backdoors   Powershell Empire Edition

You will also notice that the payload is stored under HKEY_LOCAL_MACHINE as well. You can remove both of them using the same method as the userland version.

The scheduled task can also run with administrative permissions, and removal is the same as before.

The most troubling method is via WMI subscriptions.


Removing Backdoors   Powershell Empire Edition

This technique is newer than the others, and difficult to remove and detect. For a detailed explanation of what WMI subscriptions are, I recommend reading this post .

To manually verify the results of NorkNork, you can run:

powershell Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

in powershell. Scrolling through the data, one event should stick out from the rest as it contains a very large blob of base64 data. If you base64 decode it, you should see the same data that we saw before for the stager. The important thing to isolate is the name. In the case of this example, it is “evil”.

When the WMI subscription is created, a couple things are created. Reviewing the source code of this module tells that a WMI Event Filter, an Event Consumer, and a binding are created. We need to remove all three.

To remove the binding, run the below command substituting ‘evil’ for whatever the subscription is named.

Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'evil'} | Remove-WmiObject;
Removing Backdoors   Powershell Empire Edition

To remove the Event Consumer run:

Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -Filter "name='evil'" | Remove-WmiObject
Removing Backdoors   Powershell Empire Edition

Lastly you need to remove the Event Filter, and if you want to actually confirm that this is working you can use the -Verbose switch.

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='evil'" | Remove-WmiObject -Verbose
Removing Backdoors   Powershell Empire Edition

Debugger

This next section is going to cover the debugger methods. From the Powershell Empire documentation , “The persistence/debugger/* modules allow you to set the “Image File Execution Options” (aka the debugger) for various executables that are accessible pre-login on the RDP prompt. By default the debugger is set to cmd.exe, which allows you to trigger a command prompt running as SYSTEM through RDP, without having to actually log into the machine.”

Here is a screenshot of NorkNork enumerating these:


Removing Backdoors   Powershell Empire Edition

This probably looks familiar to you by now, and as you can see the payload is stored in different registry key than the others. We can remove it using the same methods as described above.

The debugger command is stored in a registry key. It is stored in H

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

主题: WindowsGitCU
分页:12
转载请注明
本文标题:Removing Backdoors Powershell Empire Edition
本站链接:http://www.codesec.net/view/530629.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(91)