m00zh33 · June 29, 2017 01:37 · Jan 11, 2016 · Jan 11, 2016
diff --git a/WMI_attack_detection.ps1 b/WMI_attack_detection.ps1
@@ -138,7 +138,7 @@ $ObjectInstanceEnum = {
     $ClassName = $Event.ClassName
 
     Write-Warning @"
-SIGNATURE: WMI object enumeration detected
+SIGNATURE: Process listing detected
 
 Date/Time: $EventTime
 Class Name: $ClassName
@@ -194,9 +194,9 @@ $ClassCreationArgs = @{
     Namespace = 'root/cimv2'
 }
 
-#Trigger upon class instance enumeration
+#Trigger upon process enumeration
 $ObjectInstanceEnumArgs = @{
-    Class = 'MSFT_WmiProvider_CreateInstanceEnumAsyncEvent_Pre'
+    Query = 'SELECT * FROM MSFT_WmiProvider_CreateInstanceEnumAsyncEvent_Pre WHERE ClassName="Win32_Process"'
     Action = $ObjectInstanceEnum
     SourceIdentifier = 'ObjectEnumeration'
     Namespace = 'root/cimv2'
@@ -212,4 +212,4 @@ Register-WmiEvent @RegistryOperationArgs
 Register-WmiEvent @WMIPersistenceArgs
 Register-WmiEvent @ClassCreationArgs
 Register-WmiEvent @ObjectInstanceEnumArgs
-#endregion
+#endregion
diff --git a/WMI_attack_detection.ps1 b/WMI_attack_detection.ps1
@@ -0,0 +1,215 @@
+#region Scriptblocks that will execute upon alert trigger
+$LateralMovementDetected = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $MethodName = $Event.MethodName
+    $Namespace = $Event.Namespace
+    $Object = $Event.ObjectPath
+    $User = $Event.User
+    $CommandLine = $Event.InputParameters.CommandLine
+
+    Write-Warning @"
+SIGNATURE: Lateral movement attempt
+
+Date/Time: $EventTime
+User: $User
+Namespace: $Namespace
+Object: $Object
+Method Executed: $MethodName
+Command Executed: $CommandLine
+"@
+}
+
+$RemoteRegistryOperation = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $MethodName = $Event.MethodName
+    $Namespace = $Event.Namespace
+    $Object = $Event.ObjectPath
+    $User = $Event.User
+
+    Write-Warning @"
+SIGNATURE: WMI registry operation attempt
+
+Date/Time: $EventTime
+User: $User
+Namespace: $Namespace
+Object: $Object
+Method Executed: $MethodName
+Keys/values modified/deleted/created/enumerated: TODO...
+"@
+}
+
+$StandardPersistenceOperation = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $Name = $Event.TargetInstance.Name
+    $Location = $Event.TargetInstance.Location
+    $Command = $Event.TargetInstance.Command
+
+    Write-Warning @"
+SIGNATURE: Standard persistence
+
+Date/Time: $EventTime
+Persistence Location: $Location
+Name: $Name
+Command: $Command
+"@
+}
+
+$PSHostProcessStarted = {
+    $Event = $EventArgs.NewEvent
+
+    $LoadTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+    $PID = $Event.ProcessID
+
+    # Note: The host process may already have exited by now.
+    # This is a better method for catching any PowerShell host process though.
+    $ProcInfo = Get-WmiObject -Query "SELECT * FROM Win32_Process WHERE ProcessId=$PID" -ErrorAction SilentlyContinue
+
+    $CommandLine = $ProcInfo.CommandLine
+    $ProcessName = $ProcInfo.Name
+
+    Write-Warning @"
+SIGNATURE: Host PowerShell process started
+
+Date/Time: $LoadTime
+Process ID: $PID
+Process Name: $ProcessName
+Command Line: $CommandLine
+"@
+}
+
+$WMIPersistence = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $Binding = $Event.TargetInstance
+
+    $Consumer = Get-WmiObject -Namespace root/subscription -Query "ASSOCIATORS OF {$($Binding.Filter)}"
+    $Filter = Get-WmiObject -Namespace root/subscription -Query "ASSOCIATORS OF {$($Binding.Consumer)}"
+
+    $FilterName = $Filter.Name
+    $FilterQuery = $Filter.Query
+
+    $ConsumerName = $Consumer.Name
+    $ConsumerCommand = $Consumer.CommandLineTemplate
+
+    Write-Warning @"
+SIGNATURE: WMI persistence detected
+
+Date/Time: $EventTime
+Filter Name: $FilterName
+Filter Query: $FilterQuery
+Consumer Name: $ConsumerName
+Consumer Command Line: $ConsumerCommand
+"@
+}
+
+$ClassCreated = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $ClassName = $Event.TargetClass.__CLASS
+
+    Write-Warning @"
+SIGNATURE: WMI class created
+
+Date/Time: $EventTime
+Class Name: $ClassName
+"@
+}
+
+$ObjectInstanceEnum = {
+    $Event = $EventArgs.NewEvent
+
+    $EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
+
+    $Global:Foo = $Event
+
+    $ClassName = $Event.ClassName
+
+    Write-Warning @"
+SIGNATURE: WMI object enumeration detected
+
+Date/Time: $EventTime
+Class Name: $ClassName
+"@
+}
+#endregion
+
+
+#region Alert definitions
+# Trigger on executing code via the Win32_Process Create method
+$LateralMovementArgs = @{
+    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="Win32_Process" AND MethodName="Create"'
+    Action = $LateralMovementDetected
+    SourceIdentifier = 'LateralMovementDetection'
+}
+
+# Trigger on any method invocation on the StdRegProv class
+# Note: the following extrinsic classes are great for detecting registry modification but they only detect changes to the HKLM hive:
+# RegistryKeyChangeEvent, RegistryTreeChangeEvent, RegistryValueChangeEvent
+$RegistryOperationArgs = @{
+    Query = 'SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath="StdRegProv"'
+    Action = $RemoteRegistryOperation
+    SourceIdentifier = 'RegistryOperationDetection'
+}
+
+# Trigger on any additions to the startup folder or run keys
+$StandardPersistenceArgs = @{
+    Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA "Win32_StartupCommand"'
+    Action = $StandardPersistenceOperation
+    SourceIdentifier = 'StandardPersistenceOperation'
+}
+
+# Trigger on any process that loads the PowerShell DLL - System.Management.Automation[.ni].dll
+$PSHostProcArgs = @{
+    Query = 'SELECT * FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll%"'
+    Action = $PSHostProcessStarted
+    SourceIdentifier = 'PowerShellHostProcessStarted'
+}
+
+# Trigger upon creation of a permanent WMI event subscription - i.e. WMI persistence
+$WMIPersistenceArgs = @{
+    Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 5 Where TargetInstance ISA "__FilterToConsumerBinding"'
+    Action = $WMIPersistence
+    SourceIdentifier = 'WMIPersistenceDetection'
+    Namespace = 'root/subscription'
+}
+
+# Trigger upon creation of a WMI class - TTP of APT28
+$ClassCreationArgs = @{
+    Query = 'SELECT * FROM __ClassCreationEvent'
+    Action = $ClassCreated
+    SourceIdentifier = 'ClassCreated'
+    Namespace = 'root/cimv2'
+}
+
+#Trigger upon class instance enumeration
+$ObjectInstanceEnumArgs = @{
+    Class = 'MSFT_WmiProvider_CreateInstanceEnumAsyncEvent_Pre'
+    Action = $ObjectInstanceEnum
+    SourceIdentifier = 'ObjectEnumeration'
+    Namespace = 'root/cimv2'
+}
+#endregion
+
+
+#region Alert registration
+Register-WmiEvent @LateralMovementArgs
+Register-WmiEvent @PSHostProcArgs
+Register-WmiEvent @StandardPersistenceArgs
+Register-WmiEvent @RegistryOperationArgs
+Register-WmiEvent @WMIPersistenceArgs
+Register-WmiEvent @ClassCreationArgs
+Register-WmiEvent @ObjectInstanceEnumArgs
+#endregion