From 10833bacc7f3c5a94c2495056f0da48ca0145d1d Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:53:50 -0500 Subject: [PATCH] Delete TTPs/Persistence/wmi.py --- TTPs/Persistence/wmi.py | 188 ---------------------------------------- 1 file changed, 188 deletions(-) delete mode 100644 TTPs/Persistence/wmi.py diff --git a/TTPs/Persistence/wmi.py b/TTPs/Persistence/wmi.py deleted file mode 100644 index af1cfea..0000000 --- a/TTPs/Persistence/wmi.py +++ /dev/null @@ -1,188 +0,0 @@ -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def wmi_submenu(): - """ - Submenu for Windows Management Instrumentation (WMI) Persistence Indicators. - """ - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source File System", "function": source_file_system}, - "6": {"description": "Destination File System", "function": destination_file_system}, - "7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors}, - "8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis}, - "9": {"description": "Additional Detection Tips", "function": additional_detection_tips}, - } - build_submenu("WMI Persistence", actions) - -# Individual submenu functions - -def source_event_logs(): - title = "WMI Source Event Logs" - content = """ -`security.evtx`: -- `4648` – Logon specifying alternate credentials - - Current logged-on User Name - - Alternate User Name - - Destination Host Name/IP - - Process Name -""" - print_info(title, content) - -def destination_event_logs(): - title = "WMI Destination Event Logs" - content = """ -`security.evtx`: -- `4624` Logon Type 3 - - Source IP/Logon User Name -- `4672` - - Logon User Name - - Logon by a user with administrative rights - -`Microsoft-Windows-WMI-Activity/Operational.evtx`: -- `5857` - - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs. -- `5860`, `5861` - - Registration of Temporary (5860) and Permanent (5861) Event Consumers. - - Typically used for persistence, but can also be used for remote execution. -""" - print_info(title, content) - -def source_registry(): - title = "WMI Source Registry" - content = """ -- **ShimCache** – SYSTEM - - `wmic.exe` -- **BAM_DAM** – SYSTEM – Last Time Executed - - `wmic.exe` -- **AmCache.hve** – First Time Executed - - `wmic.exe` -""" - print_info(title, content) - -def destination_registry(): - title = "WMI Destination Registry" - content = """ -- **ShimCache** – SYSTEM - - `scrcons.exe` - - `mofcomp.exe` - - `wmiprvse.exe` - - `evil.exe` -- **AmCache.hve** – First Time Executed - - `scrcons.exe` - - `mofcomp.exe` - - `wmiprvse.exe` - - `evil.exe` -""" - print_info(title, content) - -def source_file_system(): - title = "WMI Source File System" - content = """ -- **Prefetch**: - - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf` -""" - print_info(title, content) - -def destination_file_system(): - title = "WMI Destination File System" - content = """ -- **File Creation**: - - `evil.exe` - - `evil.mof` - .mof files can be used to manage the WMI Repository. - -- **Prefetch**: - - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf` - - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf` - - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf` - - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf` - -- **Unauthorized changes to the WMI Repository**: - - `C:\\Windows\\System32\\wbem\\Repository` -""" - print_info(title, content) - -def wmi_event_backdoors(): - title = "WMI Event Consumer Backdoors" - content = """ -### WMI Event Triggers: -- Event triggers can be used to execute arbitrary code when specific conditions are met. - -### WMI Event Filters: -- Define conditions under which events trigger. -- Example: Trigger on process start. - -### WMI Event Consumers: -- Define actions for triggered events. -- Example: Execute a script. - -### WMI Event Bindings: -- Link filters and consumers. -- Example: Detect process start and execute a script. - -### Example Malicious MOF File: - -#PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription") - -instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; }; - -instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; }; - -instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; }; - - -### Detection and Mitigation: -- Use tools like Sysmon or Autoruns to monitor WMI activity. -- Regular audits of WMI filters and consumers can identify unauthorized entries. -""" - print_info(title, content) - -def wmiexec_analysis(): - title = "WMIEXEC Analysis" - content = """ -`wmiexec.py` Usage: -- **Command**: `wmiexec.py domain/username:password@[hostname | IP] command` -- Executes a semi-interactive shell using WMI. -- Uses UNIX Epoch Time in commands. -- NOT detected and blocked by Windows Defender by default. - -### Windows Event Log Residue: -- **Multiple rounds**: - - Event ID `4776` in Security on target (for user specified in command). - - Event ID `4672` in Security on target (for user specified in command). - - Event ID `4624` Type 3 in Security on target (for user specified in command). - -- **Always present**: - - Event ID `4688` in Security on target: - - `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`. - - Event ID `4688` in Security on target: - - `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`. - -- **If Enabled**: - - Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target. - -### Detection Tips: -- Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes. -- Look for unusual Event ID patterns tied to administrative privileges. -""" - print_info(title, content) - -def additional_detection_tips(): - title = "Additional WMI Detection Tips" - content = """ -### Advanced Detection: -- Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log. -- Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection. - -### Correlation: -- Correlate WMI activity with unusual file system or registry changes. -- Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`. - -### Threat Intelligence: -- Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK. -- Research WMI use by known APTs or malware families. -""" - print_info(title, content)