0x00 前言

---

前兩篇分別介紹了WMI Attacks & WMI Backdoor，側重於攻擊，所以這篇介紹一下WMI Defense，攻防結合，便於大家更清楚認識WMI.

0x01 簡介

---

本篇側重於介紹如何透過Powershell呼叫WMI監視自身系統、記錄入侵行為，並對WMI的檢測工具做具體測試。

0x02 測試環境

---

Win8 x86 powershell v3（win8預設安裝） 開啟Winmgmt服務，支援WMI

0x03 監視系統

---

*注： 以下均為Powershell程式碼

1、監視程式建立

 $filterName = 'BotFilter48'
    $consumerName = 'BotConsumer48'

    #查詢程式建立事件

    $Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"

    $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

    #寫入日誌檔案

    $Arg =@{
                Name=$consumerName
                    Filename = 'C:\test\log.log'
                    Text = 'New Process Created with name %TargetInstance.Name%'
                }

    $WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg

    Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

如圖

2、監視程式結束

$filterName = 'BotFilter49'
$consumerName = 'BotConsumer49'


# 查詢程式結束事件

$Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

$Arg =@{
                Name=$consumerName
                Filename = 'C:\test\log.log'
                Text = 'Task kill with name %TargetInstance.Name%'
    }
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

如圖

3、監視登錄檔

（1）監視單一鍵值

$filterName = 'BotFilter51'
$consumerName = 'BotConsumer51'

$Query ="SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'" 

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName;EventNameSpace="root\default";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

$Arg =@{
                Name=$consumerName
                Filename = 'C:\test\log.log'
                Text ='The change is HKEY_LOCAL_MACHINE\\%KeyPath%'
    }


$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

監視 “HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” 鍵值的任何改動

如圖

(2)監視某一鍵值及其子鍵

監視 “HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft” 鍵值及其子鍵的任何改動

$filterName = 'BotFilter52'
$consumerName = 'BotConsumer52'

$Query ="SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath='SOFTWARE\\Microsoft\\'" 

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=
$filterName;EventNameSpace="root\default";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop

$Arg =@{
                Name=$consumerName
                Filename = 'C:\test\logtree.log'
                Text ='The change is HKEY_LOCAL_MACHINE\\%RootPath%'
    }

$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "root\subscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=

$WMIEventFilter;Consumer=$WMIEventConsumer}

0x04 檢測工具測試

測試工具：

Sysinternals Autoruns

檢測目標：

能否查出所有WMI定時執行的操作

測試方法：

在目標主機執行包含以下Consumer的定時執行操作，使用Sysinternals Autoruns進行檢測。

-ActiveScriptEventConsumer
-CommandLineEventConsumer
-LogFileEventConsumer
-NTEventLogEventConsumer
-ScriptingStandardConsumerSetting
-SMTPEventConsumer

測試結果：

如圖

Sysinternals Autoruns只能檢測到ActiveScriptEventConsumer和CommandLineEventConsumer的操作，可以理解為上述對程式和登錄檔監視的操作無法識別

解決措施：

直接查詢WMI呼叫，即可獲得所有定時執行的操作

#List Event Filters

Get-WMIObject -Namespace root\Subscription -Class __EventFilter


#List Event Consumers

Get-WMIObject -Namespace root\Subscription -Class __EventConsumer


#List Event Bindings

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

0x05 WMI使用補充

以上三篇關於WMI的文章均採用Powershell實現，當然用mof和vbs也能夠實現，這裡給出一些參考程式碼，其他功能程式碼按照格式修改即可

1、mof檔案記錄登錄檔修改的操作

（1）以下檔案儲存為reg.mof檔案

 #pragma namespace ("\\\\.\\root\\subscription")
    instance of __EventFilter as $Filter
    {
        Name = "RunKeyFilter";
        QueryLanguage = "WQL";
        Query = "Select * from RegistryTreeChangeEvent"
                " where (Hive = \"HKEY_LOCAL_MACHINE\" and "
                "KeyPath = \"Software\\\\Microsoft\\\\Windows"
                "\\\\CurrentVersion\\\\Run\")";

        // RegistryTreeChangeEvents only fire
        // in root\default namespace
        EventNamespace = "root\\default";   
    };

    instance of LogFileEventConsumer as $Consumer
    {
        Name= "consumer1";
        Filename = "C:\test\log.log";
        Text ="The change is HKEY_LOCAL_MACHINE\\%KeyPath%";

    };
    // Bind the filter to the consumer
    instance of __FilterToConsumerBinding
    {
        Filter = $Filter;
        Consumer = $Consumer;
    };

（2）編譯mof檔案

命令列下管理員許可權執行mofcomp reg.mof

2、vbs檔案記錄登錄檔修改的操作

strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\default")
Set colEvents = objWMIService.ExecNotificationQuery _
    ("SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _
        "KeyPath='SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'") 
Do
    Set objLatestEvent = colEvents.NextEvent
    Wscript.Echo Now & ": The registry has been modified."
Loop

0x06 小結

以上三篇對WMI Attacks、WMI Backdoor、WMI Defense做了全面介紹，時間有限細節之處難免會有疏忽，歡迎大家共同交流，共同學習，我會在留言作適當補充更正：）

---

本文由三好學生原創並首發於烏雲drops，轉載請註明