WMI for Blue

Detecting Persistence :

To detect persistence, common filter, consumer and binding can be manually analyzed or a “detection” permanent event consumer can be created.

PS C:\Windows\system32> Get-WmiObject __eventfilter -Namespace root\subscription

PS C:\Windows\system32> Get-WmiObject activescripteventconsumer -Namespace root\subscription

PS C:\Windows\system32> Get-WmiObject commandlineeventconsumer -Namespace root\subscription

PS C:\Windows\system32> Get-WmiObject activescripteventconsumer -Namespace root\subscription

Using WMI permanent Event cosnumers to alert on:

PS C:\Windows\system32> $Query = “Select * from registryvaluechangeevent where HIVE=’HKEY_LOCAL_MACHINE’ AND KeyPath=’Software\\Microsoft\\ole’ AND ValueName=’MachineLaunchRestriction'”

PS C:\Windows\system32> Register-WmiEvent -query $Query -Action {Write-host “modification of DCOM permissions”}

Now run below mention command on another PS session which we are using in security descriptor.

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors>. .\ Set-RemoteWMI.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\nishang-master\nishang-master\Backdoors> Set-RemoteWMI -UserName administrator –Verbose

Now we check on running ps

Detecting storage and communication channel:

WMI logs:

Service logs ->

Windows 10 and server 2016 raise event 5861 in WMI-Activityoperationallogs when a permanent event consumer is created.

Trace logs->

Huge volume but very useful.

From Event viewer -> WMI activity -> Trace -> we can see the logs on the right side -> now right click on trace -> click on enable log -> ok

Now back to Powershell ->

PS C:\Windows\system32> Invoke-WmiMethod -Class win32_process -Name create -ArgumentList calc.exe -ComputerName

Now if we see the trace event viewer on target window we can see the logs and even calc.exe is open on target machine and now disable the logs from trace which we enable earlier.

@Saksham Dixit

Related Posts


Leave a Reply

Your email address will not be published. Required fields are marked *