Upload files to "Modules/Persistence"

Modules/Persistence/wmi.py

@@ -0,0 +1,120 @@
+def get_content():
+    """
+    Returns structured content for the WMI persistence method.
+    """
+    return [
+        {
+            "title": "WMI Source Event Logs",
+            "content": """
+### Source Event Logs
+`security.evtx`:
+- `4648` – Logon specifying alternate credentials
+    - Current logged-on User Name
+    - Alternate User Name
+    - Destination Host Name/IP
+    - Process Name
+            """
+        },
+        {
+            "title": "WMI Destination Event Logs",
+            "content": """
+### Destination Event Logs
+`security.evtx`:
+- `4624` Logon Type 3
+    - Source IP/Logon User Name
+- `4672`
+    - Logon User Name
+    - Logon by a user with administrative rights
+
+`Microsoft-Windows-WMI-Activity/Operational.evtx`:
+- `5857`
+    - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs.
+- `5860`, `5861`
+    - Registration of Temporary (5860) and Permanent (5861) Event Consumers.
+    - Typically used for persistence, but can also be used for remote execution.
+            """
+        },
+        {
+            "title": "WMI Source Registry",
+            "content": """
+### Source Registry
+- **ShimCache** – SYSTEM
+    - `wmic.exe`
+- **BAM_DAM** – SYSTEM – Last Time Executed
+    - `wmic.exe`
+- **AmCache.hve** – First Time Executed
+    - `wmic.exe`
+            """
+        },
+        {
+            "title": "WMI Destination Registry",
+            "content": """
+### Destination Registry
+- **ShimCache** – SYSTEM
+    - `scrcons.exe`
+    - `mofcomp.exe`
+    - `wmiprvse.exe`
+    - `evil.exe`
+- **AmCache.hve** – First Time Executed
+    - `scrcons.exe`
+    - `mofcomp.exe`
+    - `wmiprvse.exe`
+    - `evil.exe`
+            """
+        },
+        {
+            "title": "WMI Source File System",
+            "content": """
+### Source File System
+- **Prefetch**:
+    - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
+            """
+        },
+        {
+            "title": "WMI Destination File System",
+            "content": """
+### Destination File System
+- **File Creation**:
+    - `evil.exe`
+    - `evil.mof` - .mof files can be used to manage the WMI Repository.
+
+- **Prefetch**:
+    - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
+    - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
+    - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
+    - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
+
+- **Unauthorized changes to the WMI Repository**:
+    - `C:\\Windows\\System32\\wbem\\Repository`
+            """
+        },
+        {
+            "title": "WMI Event Consumer Backdoors",
+            "content": """
+### WMI Event Consumer Backdoors
+- **Event Filters**: Define conditions under which events trigger (e.g., process starts).
+- **Event Consumers**: Define actions for triggered events (e.g., execute a script).
+- **Event Bindings**: Link filters and consumers.
+            """
+        },
+        {
+            "title": "WMIEXEC Analysis",
+            "content": """
+### WMIEXEC Analysis
+- **Command Example**: `wmiexec.py domain/username:password@[hostname | IP] command`
+- **Logs**:
+    - Event ID `4648`, `4624`, `4672`, `5857`, `5861` indicate WMI activity.
+- **Detection**:
+    - Monitor commands triggering `wmiprvse.exe` and subsequent processes.
+            """
+        },
+        {
+            "title": "Additional WMI Detection Tips",
+            "content": """
+### Additional Detection Tips
+- Enable verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
+- Correlate WMI activity with file system or registry changes.
+- Research WMI use by known APTs or malware families.
+            """
+        }
+    ]