matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7908e5734ed70195d80d19d6f8324a16c3c3d211
Hunt-AI/TTPs/Persistence/wmi.py

189 lines
6.4 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def wmi_submenu():
"""
Submenu for Windows Management Instrumentation (WMI) Persistence Indicators.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors},
"8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis},
"9": {"description": "Additional Detection Tips", "function": additional_detection_tips},
}
build_submenu("WMI Persistence", actions)
# Individual submenu functions
def source_event_logs():
title = "WMI Source Event Logs"
content = """
`security.evtx`:
- `4648` Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
title = "WMI Destination Event Logs"
content = """
`security.evtx`:
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
`Microsoft-Windows-WMI-Activity/Operational.evtx`:
- `5857`
- Indicates time of wmiprvse execution and path to provider DLL attackers sometimes install malicious WMI provider DLLs.
- `5860`, `5861`
- Registration of Temporary (5860) and Permanent (5861) Event Consumers.
- Typically used for persistence, but can also be used for remote execution.
"""
print_info(title, content)
def source_registry():
title = "WMI Source Registry"
content = """
- **ShimCache** SYSTEM
- `wmic.exe`
- **BAM_DAM** SYSTEM Last Time Executed
- `wmic.exe`
- **AmCache.hve** First Time Executed
- `wmic.exe`
"""
print_info(title, content)
def destination_registry():
title = "WMI Destination Registry"
content = """
- **ShimCache** SYSTEM
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
- **AmCache.hve** First Time Executed
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
"""
print_info(title, content)
def source_file_system():
title = "WMI Source File System"
content = """
- **Prefetch**:
- `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
"""
print_info(title, content)
def destination_file_system():
title = "WMI Destination File System"
content = """
- **File Creation**:
- `evil.exe`
- `evil.mof` - .mof files can be used to manage the WMI Repository.
- **Prefetch**:
- `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
- **Unauthorized changes to the WMI Repository**:
- `C:\\Windows\\System32\\wbem\\Repository`
"""
print_info(title, content)
def wmi_event_backdoors():
title = "WMI Event Consumer Backdoors"
content = """
### WMI Event Triggers:
- Event triggers can be used to execute arbitrary code when specific conditions are met.
### WMI Event Filters:
- Define conditions under which events trigger.
- Example: Trigger on process start.
### WMI Event Consumers:
- Define actions for triggered events.
- Example: Execute a script.
### WMI Event Bindings:
- Link filters and consumers.
- Example: Detect process start and execute a script.
### Example Malicious MOF File:
#PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription")
instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; };
instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; };
instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; };
### Detection and Mitigation:
- Use tools like Sysmon or Autoruns to monitor WMI activity.
- Regular audits of WMI filters and consumers can identify unauthorized entries.
"""
print_info(title, content)
def wmiexec_analysis():
title = "WMIEXEC Analysis"
content = """
`wmiexec.py` Usage:
- **Command**: `wmiexec.py domain/username:password@[hostname | IP] command`
- Executes a semi-interactive shell using WMI.
- Uses UNIX Epoch Time in commands.
- NOT detected and blocked by Windows Defender by default.
### Windows Event Log Residue:
- **Multiple rounds**:
- Event ID `4776` in Security on target (for user specified in command).
- Event ID `4672` in Security on target (for user specified in command).
- Event ID `4624` Type 3 in Security on target (for user specified in command).
- **Always present**:
- Event ID `4688` in Security on target:
- `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`.
- Event ID `4688` in Security on target:
- `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`.
- **If Enabled**:
- Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target.
### Detection Tips:
- Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes.
- Look for unusual Event ID patterns tied to administrative privileges.
"""
print_info(title, content)
def additional_detection_tips():
title = "Additional WMI Detection Tips"
content = """
### Advanced Detection:
- Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
- Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection.
### Correlation:
- Correlate WMI activity with unusual file system or registry changes.
- Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`.
### Threat Intelligence:
- Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK.
- Research WMI use by known APTs or malware families.
"""
print_info(title, content)
Reference in New Issue View Git Blame Copy Permalink