Today I'll cover another persistence mechanism that Kansa collects, which is not currently collected by Autoruns; namely WMI Event Consumers. That link tells us "Event consumers are applications or scripts that request notification of events, and then perform tasks when specific events occur."
[Update: 2014-05-13] Mark Russinovich released a new version of Autoruns today that reports WMI information. I have not tested it yet. It will be interesting to see if it only reports data form Event Consumers and not the Event Filter, which tells what the trigger is.
For an event consumer to work, three elements are required:
- An Event Consumer -- this is the piece that performs some action
- An Event Filter -- an event query watching for defined activity -- this triggers the consumer
- A Filter-to-Consumer Binding -- this links the filter to the consumer
ls *wmievtconsmr.xml | sort length -Descending | more
The output of that command follows, see if you can determine which host had the backdoor installed:
So what's in this file? Since it was collected with Kansa's Get-WMIEvtConsumer collector, which specifies its output should be written to an XML file, we can either open the XML file in a suitable editor or use the Powershell cmdlet Import-Clixml to read the file into a variable and examine the contents via the following commands:
$data = Import-Clixml .\DFWBOSSWEE01_wmievtconsmr.xml
$data | more
This command returns output like the following:
[Convert]::ToBase64String()
Doing so would reveal that when this WMI Event Consumer is triggered, it connects to a remote site and downloads another script and runs it.
So how often is it triggered? What triggers it? To answer those questions, you'll have to review the data Kansa collected via Get-WMIEvtFilter.ps1. A consumer by itself is harmless, but if there's an Event Filter and a Filter-to-Consumer binding, then you've got all the ingredients needed for a WMI Event Consumer based backdoor.
No comments:
Post a Comment