Windows Management Instrumentation (WMI) event subscription is one way to establish persistence on a network. In this post, we will talk about WMI event subscription and its use methods by red teams. Overview Microsoft describes this feature as follows: WMI contains an event infrastructure that produces notifications about changes in WMI data and services. WMI event classes provide notification when specific events occur. Persistence via WMI event sharing usually requires the creation of the following three classes:

This post is about different techniques and their review to bypass AMSI. AMSI overview Microsoft’s definition of AMSI: The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that’s present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. AMSI is agnostic of antimalware vendor; it’s designed to allow for the most common malware scanning and protection techniques provided by today’s antimalware products that can be integrated into applications.

Challenges solved in the field of forensics in the Cyber Apocalypse CTF 2022 competition. Puppeteer Golden Persistence Automation Puppeteer The participant is provided with a set of logs for the Windows operating system, which they need to analyze in order to obtain the flag. Files with the “evtx” extension can be edited using the Event Viewer tool in Windows. PowerShell script event logs are stored in “Microsoft-Windows-PowerShell Operational.evtx”. In one of the reports, I came across a script that stored some interesting values in the variables: