Based on https://blogs.technet.microsoft.com/sysinternals/2017/02/17/…

…update-sysmon-v6-autoruns-v13-7-accesschk-v6-1-process-monitor-v3-32-process-explorer-v16-2-livekd-v5-61-and-bginfo-v4-21/ I don't know what "registrations in the WMI\Default namespace" are. I guess it meant to list evil WMI providers that could be registered... Here are some links from https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf about it: https://gist.github.com/mattifestation/2727b6274e4024fd2481 https://github.com/subTee/EvilWMIProvider https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider On slide 58, why would the EvilWMIProvider be resolved to c:\windows\system32\mscoree.dll?
p0w3rsh3ll · Feb 19, 2017 · c7eab48 · c7eab48
1 parent 9a1efa6
commit c7eab48
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/AutoRuns.psd1 b/AutoRuns.psd1
diff --git a/AutoRuns.psm1 b/AutoRuns.psm1
@@ -1586,7 +1586,20 @@ Begin {
                             Category = 'WMI' ;
                         }
                 }
-
+                # List recursiveley registered and resolved WMI providers
+                Get-WmiObject -Namespace root -Recurse -Class __Provider -List -ErrorAction SilentlyContinue | ForEach-Object {
+                    Get-WmiObject -Namespace $_.__NAMESPACE -Class $_.__CLASS -ErrorAction SilentlyContinue | ForEach-Object {
+                        Write-Verbose -Message "Found provider clsid $($_.CLSID) from under the $($_.__NAMESPACE) namespace"
+                        if (($clsid = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\CLSID\$($_.CLSID)\InprocServer32" -Name '(default)' -ErrorAction SilentlyContinue).'(default)')) {
+                            [pscustomobject]@{
+                                Path = $_.__PATH ;
+                                Item = $_.Name
+                                Value = $clsid
+                                Category = 'WMI' ;
+                            }
+                        }
+                    }
+                }
             }
         }
         End {
@@ -2197,7 +2210,7 @@ Begin {
                             ## Get-PSAutorun -VerifyDigitalSignature | ? { -not $_.IsOSBinary }
                             if($signature.IsOSBinary)
                             {
-                                $_ = $_ | Add-Member -MemberType NoteProperty -Name IsOSBInary -Value $signature.IsOSBinary -Force -PassThru
+                                $_ = $_ | Add-Member -MemberType NoteProperty -Name IsOSBinary -Value $signature.IsOSBinary -Force -PassThru
                             }
 
                             ## Add the signer itself
@@ -2247,7 +2260,8 @@ Get-PSAutorun -All -ShowFileHash -VerifyDigitalSignature
 Get-PSAutorun -ServicesAndDrivers | ? path -match 'OSE' | fl *
 Get-PSAutorun -ServicesAndDrivers | ? path -match 'sysmon' | fl *
 Get-PSAutorun -ServicesAndDrivers | ? path -match 'psexesvc' | fl *
-Get-PSAutorun -OfficeAddins | Format-Table -Property Path,ImagePath,Category 
+Get-PSAutorun -OfficeAddins | Format-Table -Property Path,ImagePath,Category
+Get-PSAutorun -WMI -VerifyDigitalSignature | Where { -not $_.isOSBinary }
 
 # From 11.70 to 12.0
     +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages