matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48c705ef2c80f6463e8543a6ff0214d3f1f6b85
Hunt-AI/Modules/Persistence/wmi.py

121 lines
3.5 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

def get_content():
"""
Returns structured content for the WMI persistence method.
"""
return [
{
"title": "WMI Source Event Logs",
"content": """
### Source Event Logs
`security.evtx`:
- `4648` Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "WMI Destination Event Logs",
"content": """
### Destination Event Logs
`security.evtx`:
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
`Microsoft-Windows-WMI-Activity/Operational.evtx`:
- `5857`
- Indicates time of wmiprvse execution and path to provider DLL attackers sometimes install malicious WMI provider DLLs.
- `5860`, `5861`
- Registration of Temporary (5860) and Permanent (5861) Event Consumers.
- Typically used for persistence, but can also be used for remote execution.
"""
},
{
"title": "WMI Source Registry",
"content": """
### Source Registry
- **ShimCache** SYSTEM
- `wmic.exe`
- **BAM_DAM** SYSTEM Last Time Executed
- `wmic.exe`
- **AmCache.hve** First Time Executed
- `wmic.exe`
"""
},
{
"title": "WMI Destination Registry",
"content": """
### Destination Registry
- **ShimCache** SYSTEM
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
- **AmCache.hve** First Time Executed
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
"""
},
{
"title": "WMI Source File System",
"content": """
### Source File System
- **Prefetch**:
- `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
"""
},
{
"title": "WMI Destination File System",
"content": """
### Destination File System
- **File Creation**:
- `evil.exe`
- `evil.mof` - .mof files can be used to manage the WMI Repository.
- **Prefetch**:
- `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
- **Unauthorized changes to the WMI Repository**:
- `C:\\Windows\\System32\\wbem\\Repository`
"""
},
{
"title": "WMI Event Consumer Backdoors",
"content": """
### WMI Event Consumer Backdoors
- **Event Filters**: Define conditions under which events trigger (e.g., process starts).
- **Event Consumers**: Define actions for triggered events (e.g., execute a script).
- **Event Bindings**: Link filters and consumers.
"""
},
{
"title": "WMIEXEC Analysis",
"content": """
### WMIEXEC Analysis
- **Command Example**: `wmiexec.py domain/username:password@[hostname | IP] command`
- **Logs**:
- Event ID `4648`, `4624`, `4672`, `5857`, `5861` indicate WMI activity.
- **Detection**:
- Monitor commands triggering `wmiprvse.exe` and subsequent processes.
"""
},
{
"title": "Additional WMI Detection Tips",
"content": """
### Additional Detection Tips
- Enable verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
- Correlate WMI activity with file system or registry changes.
- Research WMI use by known APTs or malware families.
"""
}
]
Reference in New Issue View Git Blame Copy Permalink