from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def wmi_submenu(): """ Submenu for Windows Management Instrumentation (WMI) Persistence Indicators. """ actions = { "1": {"description": "Source Event Logs", "function": source_event_logs}, "2": {"description": "Destination Event Logs", "function": destination_event_logs}, "3": {"description": "Source Registry", "function": source_registry}, "4": {"description": "Destination Registry", "function": destination_registry}, "5": {"description": "Source File System", "function": source_file_system}, "6": {"description": "Destination File System", "function": destination_file_system}, "7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors}, "8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis}, "9": {"description": "Additional Detection Tips", "function": additional_detection_tips}, } build_submenu("WMI Persistence", actions) # Individual submenu functions def source_event_logs(): title = "WMI Source Event Logs" content = """ `security.evtx`: - `4648` – Logon specifying alternate credentials - Current logged-on User Name - Alternate User Name - Destination Host Name/IP - Process Name """ print_info(title, content) def destination_event_logs(): title = "WMI Destination Event Logs" content = """ `security.evtx`: - `4624` Logon Type 3 - Source IP/Logon User Name - `4672` - Logon User Name - Logon by a user with administrative rights `Microsoft-Windows-WMI-Activity/Operational.evtx`: - `5857` - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs. - `5860`, `5861` - Registration of Temporary (5860) and Permanent (5861) Event Consumers. - Typically used for persistence, but can also be used for remote execution. """ print_info(title, content) def source_registry(): title = "WMI Source Registry" content = """ - **ShimCache** – SYSTEM - `wmic.exe` - **BAM_DAM** – SYSTEM – Last Time Executed - `wmic.exe` - **AmCache.hve** – First Time Executed - `wmic.exe` """ print_info(title, content) def destination_registry(): title = "WMI Destination Registry" content = """ - **ShimCache** – SYSTEM - `scrcons.exe` - `mofcomp.exe` - `wmiprvse.exe` - `evil.exe` - **AmCache.hve** – First Time Executed - `scrcons.exe` - `mofcomp.exe` - `wmiprvse.exe` - `evil.exe` """ print_info(title, content) def source_file_system(): title = "WMI Source File System" content = """ - **Prefetch**: - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf` """ print_info(title, content) def destination_file_system(): title = "WMI Destination File System" content = """ - **File Creation**: - `evil.exe` - `evil.mof` - .mof files can be used to manage the WMI Repository. - **Prefetch**: - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf` - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf` - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf` - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf` - **Unauthorized changes to the WMI Repository**: - `C:\\Windows\\System32\\wbem\\Repository` """ print_info(title, content) def wmi_event_backdoors(): title = "WMI Event Consumer Backdoors" content = """ ### WMI Event Triggers: - Event triggers can be used to execute arbitrary code when specific conditions are met. ### WMI Event Filters: - Define conditions under which events trigger. - Example: Trigger on process start. ### WMI Event Consumers: - Define actions for triggered events. - Example: Execute a script. ### WMI Event Bindings: - Link filters and consumers. - Example: Detect process start and execute a script. ### Example Malicious MOF File: #PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription") instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; }; instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; }; instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; }; ### Detection and Mitigation: - Use tools like Sysmon or Autoruns to monitor WMI activity. - Regular audits of WMI filters and consumers can identify unauthorized entries. """ print_info(title, content) def wmiexec_analysis(): title = "WMIEXEC Analysis" content = """ `wmiexec.py` Usage: - **Command**: `wmiexec.py domain/username:password@[hostname | IP] command` - Executes a semi-interactive shell using WMI. - Uses UNIX Epoch Time in commands. - NOT detected and blocked by Windows Defender by default. ### Windows Event Log Residue: - **Multiple rounds**: - Event ID `4776` in Security on target (for user specified in command). - Event ID `4672` in Security on target (for user specified in command). - Event ID `4624` Type 3 in Security on target (for user specified in command). - **Always present**: - Event ID `4688` in Security on target: - `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`. - Event ID `4688` in Security on target: - `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`. - **If Enabled**: - Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target. ### Detection Tips: - Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes. - Look for unusual Event ID patterns tied to administrative privileges. """ print_info(title, content) def additional_detection_tips(): title = "Additional WMI Detection Tips" content = """ ### Advanced Detection: - Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log. - Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection. ### Correlation: - Correlate WMI activity with unusual file system or registry changes. - Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`. ### Threat Intelligence: - Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK. - Research WMI use by known APTs or malware families. """ print_info(title, content)