前兩篇分別介紹了WMI Attacks & WMI Backdoor,側重于攻擊,所以這篇介紹一下WMI Defense,攻防結合,便于大家更清楚認識WMI.
本篇側重于介紹如何通過Powershell調用WMI監視自身系統、記錄入侵行為,并對WMI的檢測工具做具體測試。
Win8 x86 powershell v3(win8默認安裝) 開啟Winmgmt服務,支持WMI
*注: 以下均為Powershell代碼
$filterName = 'BotFilter48'
$consumerName = 'BotConsumer48'
#查詢進程創建事件
$Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
#寫入日志文件
$Arg =@{
Name=$consumerName
Filename = 'C:\test\log.log'
Text = 'New Process Created with name %TargetInstance.Name%'
}
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
如圖
$filterName = 'BotFilter49'
$consumerName = 'BotConsumer49'
# 查詢進程結束事件
$Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{
Name=$consumerName
Filename = 'C:\test\log.log'
Text = 'Task kill with name %TargetInstance.Name%'
}
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
如圖
(1)監視單一鍵值
$filterName = 'BotFilter51'
$consumerName = 'BotConsumer51'
$Query ="SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\default";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{
Name=$consumerName
Filename = 'C:\test\log.log'
Text ='The change is HKEY_LOCAL_MACHINE\\%KeyPath%'
}
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
監視 “HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” 鍵值的任何改動
如圖
(2)監視某一鍵值及其子鍵
監視 “HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft” 鍵值及其子鍵的任何改動
$filterName = 'BotFilter52'
$consumerName = 'BotConsumer52'
$Query ="SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath='SOFTWARE\\Microsoft\\'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=
$filterName;EventNameSpace="root\default";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{
Name=$consumerName
Filename = 'C:\test\logtree.log'
Text ='The change is HKEY_LOCAL_MACHINE\\%RootPath%'
}
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=
$WMIEventFilter;Consumer=$WMIEventConsumer}
測試工具:
Sysinternals Autoruns
檢測目標:
能否查出所有WMI定時運行的操作
測試方法:
在目標主機運行包含以下Consumer的定時運行操作,使用Sysinternals Autoruns進行檢測。
-ActiveScriptEventConsumer
-CommandLineEventConsumer
-LogFileEventConsumer
-NTEventLogEventConsumer
-ScriptingStandardConsumerSetting
-SMTPEventConsumer
測試結果:
如圖
Sysinternals Autoruns只能檢測到ActiveScriptEventConsumer和CommandLineEventConsumer的操作,可以理解為上述對進程和注冊表監視的操作無法識別
解決措施:
直接查詢WMI調用,即可獲得所有定時執行的操作
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
以上三篇關于WMI的文章均采用Powershell實現,當然用mof和vbs也能夠實現,這里給出一些參考代碼,其他功能代碼按照格式修改即可
(1)以下文件保存為reg.mof文件
#pragma namespace ("\\\\.\\root\\subscription")
instance of __EventFilter as $Filter
{
Name = "RunKeyFilter";
QueryLanguage = "WQL";
Query = "Select * from RegistryTreeChangeEvent"
" where (Hive = \"HKEY_LOCAL_MACHINE\" and "
"KeyPath = \"Software\\\\Microsoft\\\\Windows"
"\\\\CurrentVersion\\\\Run\")";
// RegistryTreeChangeEvents only fire
// in root\default namespace
EventNamespace = "root\\default";
};
instance of LogFileEventConsumer as $Consumer
{
Name= "consumer1";
Filename = "C:\test\log.log";
Text ="The change is HKEY_LOCAL_MACHINE\\%KeyPath%";
};
// Bind the filter to the consumer
instance of __FilterToConsumerBinding
{
Filter = $Filter;
Consumer = $Consumer;
};
(2)編譯mof文件
命令行下管理員權限執行mofcomp reg.mof
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
"KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'")
Do
Set objLatestEvent = colEvents.NextEvent
Wscript.Echo Now & ": The registry has been modified."
Loop
以上三篇對WMI Attacks、WMI Backdoor、WMI Defense做了全面介紹,時間有限細節之處難免會有疏忽,歡迎大家共同交流,共同學習,我會在留言作適當補充更正:)
本文由三好學生原創并首發于烏云drops,轉載請注明