本文讲的是
通过APC实现Dll注入——绕过Sysmon监控,
0x00 前言
Event ID 1: Process creation Event ID 2: A process changed a file creation time Event ID 3: Network connection Event ID 4: Sysmon service state changed Event ID 5: Process terminated Event ID 6: Driver loaded Event ID 7: Image loaded Event ID 8: CreateRemoteThread Event ID 9: RawAccessRead Event ID 10: ProcessAccess Event ID 11: FileCreate Event ID 12: RegistryEvent (Object create and delete) Event ID 13: RegistryEvent (Value Set) Event ID 14: RegistryEvent (Key and Value Rename) Event ID 15: FileCreateStreamHash Event ID 255: Error
创建新线程 设置线程上下背景文,修改寄存器 插入Apc队列 修改注册表 挂钩窗口消息 远程手动实现LoadLibrary
Shellcode Injection via QueueUserAPC - Hiding From Sysmon:
sysmon -accepteula –i -n
sysmon -c config.xml
<Sysmon schemaversion="3.20"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <DriverLoad onmatch="exclude"> <Signature condition="contains">microsoft</Signature> <Signature condition="contains">windows</Signature> </DriverLoad> <!-- Do not log process termination --> <ProcessTerminate onmatch="include" /> <!-- Log network connection if the destination port equal 443 --> <!-- or 80, and process isn't InternetExplorer --> <NetworkConnect onmatch="include"> <DestinationPort>443</DestinationPort> <DestinationPort>80</DestinationPort> </NetworkConnect> <NetworkConnect onmatch="exclude"> <Image condition="end with">iexplore.exe</Image> </NetworkConnect> </EventFiltering> </Sysmon>
sysmon -c
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSysmonDrvParameters
Control PanelSystem and Security-View event logs Applications and Services Logs-Microsoft-Windows-Sysmon-Operational
Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";}
<Sysmon schemaversion="3.20"> <!-- Capture all hashes --> <HashAlgorithms>*</HashAlgorithms> <EventFiltering> <!-- Log all drivers except if the signature --> <!-- contains Microsoft or Windows --> <CreateRemoteThread onmatch="include"> <TargetImage condition="end with">calc.exe</TargetImage> </CreateRemoteThread> </EventFiltering> </Sysmon>
Sysmon.exe -c RecordCreateRemoteTh.xml
Sysmon.exe -c
Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";ID=8}
原文发布时间为:2017年4月20日
本文作者:3gstudent
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。