1.WMI persistence Technical Overview
WMI (WindowsManagement Instrumentation) event subscription (Event Subscription) is a common persistence technology, which requires administrator privileges, but the benefits have no documents, which means no contact with the disk. In short, WMI event subscription technology allows specific operations (acquisition shell) bound to a Windows event. To achieve this goal, we need to do two things. __EventFilter query that creates a filter, the filter selection for a specific trigger event, and Event Consumer class action when a trigger event is set to be executed. Event filter trigger is executed to determine the condition, which can use SQL-like query language called WQL to complete.
A very simple WQL event query might look like:
the Select * the Where the From __InstanceCreationEvent the Within 5 TargetInstance Isa "the Win32_Process"
This event is triggered every time you create a win32 process. For testing purposes, you can use-WMIEvent the Register
cmdlet install trigger to start the new process will lead PowerShell block is executed.
More useful to use, you can create an event that triggers when you create certain processes, such outlook.exe.
You can use similar to the following C # install this trigger:
As part of a malicious event, we need a second