|
阅读:4111回复:0
WMI Defense
◆0 前言
前两篇分别介绍了WMI Attacks & WMI Backdoor,侧重于攻击,所以这篇介绍一下WMI Defense,攻防结合,便于大家更清楚认识WMI. 图片:2015090702205111169.png  ◆1 简介 本篇侧重于介绍如何通过Powershell调用WMI监视自身系统、记录入侵行为,并对WMI的检测工具做具体测试。 ◆2 测试环境 Win8 x86 powershell v3(win8默认安装) 开启Winmgmt服务,支持WMI ◆3 监视系统 *注: 以下均为Powershell代码 1、监视进程创建 $filterName = 'BotFilter48' $consumerName = 'BotConsumer48' #查询进程创建事件 $Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'" $WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop #写入日志文件 $Arg =@{ Name=$consumerName Filename = 'C:testlog.log' Text = 'New Process Created with name %TargetInstance.Name%' } $WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "rootsubscription" -Arguments $Arg Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}如图 图片:2015090702205111169.png 图片:2015090702205111169.png 2、监视进程结束 $filterName = 'BotFilter49'
$consumerName = 'BotConsumer49'
# 查询进程结束事件
$Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootcimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{ Name=$consumerName Filename = 'C:testlog.log' Text = 'Task kill with name %TargetInstance.Name%' }
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "rootsubscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}如图 图片:2015090702205111169.png 3、监视注册表 (1)监视单一键值 $filterName = 'BotFilter51'
$consumerName = 'BotConsumer51'
$Query ="SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND KeyPath='SOFTWAREMicrosoftWindowsCurrentVersionRun'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "rootsubscription" -Arguments @{Name=$filterName;EventNameSpace="rootdefault";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{ Name=$consumerName Filename = 'C:testlog.log' Text ='The change is HKEY_LOCAL_MACHINE%KeyPath%' }
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "rootsubscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}监视 “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun” 键值的任何改动 如图 图片:2015090702205111169.png (2)监视某一键值及其子键 监视 “HKEY_LOCAL_MACHINESOFTWAREMicrosoft” 键值及其子键的任何改动 $filterName = 'BotFilter52'
$consumerName = 'BotConsumer52'
$Query ="SELECT * FROM RegistryTreeChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND RootPath='SOFTWAREMicrosoft'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "rootsubscription" -Arguments @{Name=
$filterName;EventNameSpace="rootdefault";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$Arg =@{ Name=$consumerName Filename = 'C:testlogtree.log' Text ='The change is HKEY_LOCAL_MACHINE%RootPath%' }
$WMIEventConsumer = Set-WmiInstance -Class LogFileEventConsumer -Namespace "rootsubscription" -Arguments $Arg
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "rootsubscription" -Arguments @{Filter=
$WMIEventFilter;Consumer=$WMIEventConsumer}◆4 检测工具测试 测试工具: Sysinternals Autoruns 检测目标: 能否查出所有WMI定时运行的操作 测试方法: 在目标主机运行包含以下Consumer的定时运行操作,使用Sysinternals Autoruns进行检测。 -ActiveScriptEventConsumer -CommandLineEventConsumer -LogFileEventConsumer -NTEventLogEventConsumer -ScriptingStandardConsumerSetting -SMTPEventConsumer 测试结果: 如图 图片:2015090702205111169.png Sysinternals Autoruns只能检测到ActiveScriptEventConsumer和CommandLineEventConsumer的操作,可以理解为上述对进程和注册表监视的操作无法识别 解决措施: 直接查询WMI调用,即可获得所有定时执行的操作 #List Event Filters Get-WMIObject -Namespace rootSubscription -Class __EventFilter #List Event Consumers Get-WMIObject -Namespace rootSubscription -Class __EventConsumer #List Event Bindings Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding ◆5 WMI使用补充 以上三篇关于WMI的文章均采用Powershell实现,当然用mof和vbs也能够实现,这里给出一些参考代码,其他功能代码按照格式修改即可 1、mof文件记录注册表修改的操作 (1)以下文件保存为reg.mof文件 #pragma namespace (".rootsubscription") instance of __EventFilter as $Filter { Name = "RunKeyFilter"; QueryLanguage = "WQL"; Query = "Select * from RegistryTreeChangeEvent" " where (Hive = "HKEY_LOCAL_MACHINE" and " "KeyPath = "SoftwareMicrosoftWindows" "CurrentVersionRun")"; // RegistryTreeChangeEvents only fire // in rootdefault namespace EventNamespace = "rootdefault"; }; instance of LogFileEventConsumer as $Consumer { Name= "consumer1"; Filename = "C:testlog.log"; Text ="The change is HKEY_LOCAL_MACHINE%KeyPath%"; }; // Bind the filter to the consumer instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; };(2)编译mof文件 命令行下管理员权限执行mofcomp reg.mof 2、vbs文件记录注册表修改的操作 strComputer = "."
Set objWMIService = GetObject("winmgmts:" & strComputer & "rootdefault")
Set colEvents = objWMIService.ExecNotificationQuery _ ("SELECT * FROM RegistryKeyChangeEvent WHERE Hive='HKEY_LOCAL_MACHINE' AND " & _ "KeyPath='SOFTWAREMicrosoftWindowsCurrentVersionRun'")
Do Set objLatestEvent = colEvents.NextEvent Wscript.Echo Now & ": The registry has been modified."
Loop◆6 小结 以上三篇对WMI Attacks、WMI Backdoor、WMI Defense做了全面介绍,时间有限细节之处难免会有疏忽,欢迎大家共同交流,共同学习,我会在留言作适当补充更正:) 本文由三好学生原创并首发于乌云drops,转载请注明 |
|
