Shulou(Shulou.com)06/02 Report--

How to detect and remove the WMI persistence backdoor, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Preface

Windows Management Instrumentation (WMI) event subscription is a technique often used by attackers to establish persistence on endpoints. So I decided to spend some time studying Empire's WMI module to see if it was possible to detect and remove these WMI persistence backdoors. In addition, I reviewed some PowerShell commands for viewing and removing WMI event subscriptions. These commands are very useful in actual testing.

WMI introduction

WMI is an implementation of Microsoft's Web-based Enterprise Management (WBEM), an industry initiative designed to develop standard technologies for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components.

The event filter (event filter) is a WMI class that describes the events that WMI passes to the event consumer. In addition, the event filter describes the conditions under which WMI delivers events.

Configure Sysmon logging

We can configure Sysmon to log WmiEventFilter,WmiEventConsumer and WmiEventConsumerToFilter activity and enable WMI abuse detection.

Roberto Rodriguez's (@ Cyb3rWard0g) Sysmon configuration file will capture the above event ID.

Execute the following command to install Sysmon and apply the configuration file.

Sysmon.exe-I-c.\ config_file.xml build persistence backdoor

Next, we use Empire's Invoke-WMI module to create a permanent WMI subscription on the victim endpoint.

Detection

Looking at the Sysmon log, we can see the Empire module:

Registered a WMI event filter

Registered a WMI event consumer

Bind the event consumer to the event filter.

The WMI event filter sets the appropriate execution conditions for stager, including references to system uptime.

The WMI event consumer contains Empire stager in the form of Base64 encoding and registers with the name Updater, which is not easy to arouse suspicion.

WMI event consumer CommandLineEventConsumer.Name=\ "Updater\", bound to the event filter _ _ EventFilter.Name=\ "Updater\"

The event consumer is now bound to the event filter. If the event filter condition is true, the corresponding event consumer (stager) will be triggered.

Back door removal

The easiest way is to delete entries from the WMI database using Autoruns. Start Autoruns as an administrator and select the WMI tab to view the persistent backdoors related to WMI.

Right-click the malicious WMI database entry and select "Delete" to delete it.

Alternatively, you can delete WMI event subscriptions from the command line.

In PowerShell, we use the Get-WMIObject command to view the WMI event filters, event consumers, and consumer filters bound to the event filter. Here I would like to thank Boe Prox (@ proxb) for explaining these commands in detail on his blog.

# Reviewing WMI Subscriptions using Get-WMIObject# Event FilterGet-WMIObject-Namespace root\ Subscription-Class _ _ EventFilter-Filter "Name='Updater'" # Event ConsumerGet-WMIObject-Namespace root\ Subscription-Class CommandLineEventConsumer-Filter "Name='Updater'" # BindingGet-WMIObject-Namespace root\ Subscription-Class _ _ FilterToConsumerBinding-Filter "_ Path LIKE'% Updater%'"

Use the Remove-WMIObject command to remove all components of the WMI persistence backdoor.

# Removing WMI Subscriptions using Remove-WMIObject# Event FilterGet-WMIObject-Namespace root\ Subscription-Class _ _ EventFilter-Filter "Name='Updater'" | Remove-WmiObject-Verbose# Event ConsumerGet-WMIObject-Namespace root\ Subscription-Class CommandLineEventConsumer-Filter "Name='Updater'" | Remove-WmiObject-Verbose# BindingGet-WMIObject-Namespace root\ Subscription-Class _ _ FilterToConsumerBinding-Filter "_ Path LIKE'% Updater%'" | Remove-WmiObject-Verbose

When we are done, we run Autoruns again to verify that we have successfully cleared the persistence backdoor.

After reading the above, have you learned how to detect and remove the WMI persistence backdoor? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.