-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathwmi-notes
103 lines (85 loc) · 3.28 KB
/
wmi-notes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
Commandline logging is a must to determine maliciousness
Check disk, MFT, and memory
Command to enable WMI trace logs
• ”wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true”
- May generate a significant amount of log activity (WMI is often used by legit applications)
- If enabled, logs:
- WMI-Activity Windows event log
- Pre-Vista, WMI Service logs stored in “%SYSTEMROOT%\wbem\logs\”
wbemcore.log
mofcomp.log
wbemprox.log
Log sources you may find on pre-Vista systems
- wbemcore.log
Logon activity and authentication failures (required setting: verbose)
- mofcomp.log
Successful and failed MOF compile operations including the name and path of MOF files, whether it was
imported, and failures (required setting: verbose)
- wbemprox.log
Login failures based on incorrect credentials, service availability, or permissions issues (required setting:
errors or verbose)
ActiveScriptEventConsumer
Exec a predefined script - VB/JScript
CommandLineEventConsumer
mofcomp.exe -N is used to compile an event-consumer
Less malicious types: LogFileEvent,NTEventLogEvent,SMTPEvent,Custom Consumer
Malicious MOF files may still be present on disk
- Example: “C:\Windows\Addins\evil.mof”
MOF files may be copied into the autorecovery directory after the originals were deleted
- “C:\Windows\System32\wbem\autorecovery\[RAND].mof”
References to MOF files may be found in the binary tree index.
- “C:\Windows\System32\wbem\Repository\index.btr”
New WMI classes are stored in the CIM repository. This shoud be pulled and analyzed
- File location: “C:\Windows\System32\wbem\Repository\fs\objects.data”
PRAGMA AUTORECOVER helps for persistence .
The list of MOF files for autorecovery is stored in the following registry key and dir:
- “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\autorecover mofs” (Shows folder only) .
- \Windows\System32\wbem\Autorecover
Registering a WMI Event Filter useing “Win32_LocalTime” creates the following empty key
- “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\Win32ClockProvider”
Logging: WMI-Activity Operation Log
Win2012R2+: Event ID 5861 records permanent event consumer creation
Event Filter and consumer recorded
Log strings to search for:
- EventConsumer
- EventFilter
- FilterToConsumerBinding
- Wscript.shell
- Wscript.sleep
- ActiveXObject
- On Error Resume Next
Search consumers for the text
- .exe, .dll, .vbs, .eval, .ps1
- ActiveXObject
- powershell
- CommandLineTemplate
- ScriptText
Check Shimcache, Prefetch, AppCompatCache for related executables:
cscript.exe
wscript.exe
scrcons.exe
mofcomp.exe
wmic.exe
wmiexec.py
wmiprvse.exe: parent process of CLIEventConsumers and WinRM
not svchost.exe
ex calling powershell, ex. called by wmic.exe
wsmprovhost.exe: the target's process during remote execution
scrcons.exe: the parent process of ActiveScriptEventConsumers
wmic process call create
/node:
Invoke-WmiMethod / Invoke-CimMethod (Powershell)
Get-WmiObject -Namespace * -class __EventConsumer
Parse WMI Repository Offline: python-cim
/flare-wmi/show_filtertoconsumerbindings.py
/timeline.py uses ClassCreationDate and InstanceCreationDate
Common False Positives:
SCM Event Log
BVTFilter
TSloginEvents.vbs
TSLogonFilter
RAevent.vbs
RMAssistEventFilter
KernCap.vbs
NTEventLogConsumer
WSCEAA.exe (Dell)