WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection

WMIEvent-BinaryRename.ps1

<#
.SYNOPSIS
    WMIEvent-BinaryRename.ps1 installs WMI Eventing based Binary rename detection

    Name: WMIEvent-BinaryRename.ps1
    Version: 1.0
    Author: Matt Green (@mgreen27)
    

.DESCRIPTION
    WMIEvent-BinaryRename.ps1 is a WMI based Binary Rename detection template to install a WMI Event Consumer.

    The script Installs a Event Consumer named "BinaryRename_Example" to root/subscription namespace.
    The Event consumer will monitor all process events and run a vbscript to check for binary rename conditions.
    The check will compare Process Name and Original File Name, then if Original File Name is on a list of monitored files will log.
    Template includes logging to disk and event logs - feel free to modifiy as required.
        Event Log
            function: writeEventLog
            function call: WriteEventLog strPath, strOrigName
            Log to: Application EventLog EventID 4
        LogFile
            function: writeEventLog
            function call: WriteLogFile strPath, strOrigName
            Log to: "C:\staging\wmilog.txt"
    To remove a logging method: Remove relevant function from vbscript block as required and function call
 

.NOTES
    Requirements: Powershell 2.0+
    Original Template (Eventlog Consumer) attributed to @mattifestation: https://gist.github.com/mattifestation/aff0cb8bf66c7f6ef44a

    Removal commands
    Get-WmiObject -Namespace 'root/subscription' -Class '__EventFilter' | where-object {$_.Name -like "BinaryRename_Example*"} | Remove-WmiObject
    Get-WmiObject -Namespace 'root/subscription' -Class 'ActiveScriptEventConsumer' | where-object {$_.Name -like "BinaryRename_Example*"} | Remove-WmiObject
    Get-WmiObject -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' | where-object {$_.Filter -like "*BinaryRename_Example*"} | Remove-WmiObject
#>

# Set Variables
$Name = 'BinaryRename_Example'
$Query = 'SELECT ProcessId FROM Win32_ProcessStartTrace'
$EventNamespace = 'root/cimv2'
$Class = 'ActiveScriptEventConsumer'


# Define the signature - i.e. __EventFilter
$EventFilterArgs = @{
    EventNamespace = $EventNamespace
    Name = $Name
    Query = $Query
    QueryLanguage = 'WQL'
}

$InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = '__EventFilter'
    Arguments = $EventFilterArgs
}

$Filter = Set-WmiInstance @InstanceArgs


# Define the Event Consumer - ACTION
$EventConsumerArgs = @{
    Name = $Name
    ScriptingEngine = 'VBScript'
    ScriptText = '
Option Explicit
dim strPath,strName,strOrigName,wmiQuery
dim objFolder,objShell,objFSO,objFile,objWMIService,processes, process

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\localhost\root\cimv2")
wmiQuery = "Select Name,ExecutablePath from Win32_Process Where ProcessId = " & TargetEvent.ProcessId

Set processes = objWMIService.ExecQuery(wmiQuery)
For Each process in processes
    strName = process.Name
    strPath = process.ExecutablePath

    If strPath = "" Then
        strPath = "C:\Windows\System32"
    Else
        Set objFSO = CreateObject("Scripting.Filesystemobject")
        If objFSO.FileExists(strPath) = -1 Then
            strPath = objFSO.GetParentFolderName(strPath)
        End If
    End If

    set objShell = CreateObject("shell.application")
    set objFolder = objShell.NameSpace(strPath)

    If Not Isnull(objFolder) Then
        set objFile = objFolder.ParseName(strName)  
        strOrigName = objFile.ExtendedProperty("{0CEF7D53-FA64-11D1-A203-0000F81FEDEE},6")

        If Not len(strOrigName) = 0 Then
            if Not lcase(strOrigName) = lcase(strName) OR (lcase(strOrigName) = "psexec.c" AND NOT lcase(left(strName,6)) = "psexec")  then 
                if lcase(strOrigName) = "certutil.exe" OR lcase(strOrigName) = "cmd.exe" OR lcase(strOrigName) = "cmstp.exe" OR lcase(strOrigName) = "cscript.exe" OR lcase(strOrigName) = "mshta.exe" OR lcase(strOrigName) = "msiexec.exe" OR lcase(strOrigName) = "nc.exe" OR lcase(strOrigName) = "powershell.exe" OR lcase(strOrigName) = "psexec.c" OR lcase(strOrigName) = "regsvr32.exe" OR lcase(strOrigName) = "wmic.exe" OR lcase(strOrigName) = "wscript.exe" Then
                    strPath = strPath & "\" & strName
                    WriteLogFile strPath, strOrigName
                    WriteEventLog strPath, strOrigName
                End If
            End If
        End If
    End If
Next

Function WriteEventLog(strPath, strOrigName)
    Dim wshShell
    Set wshShell = CreateObject("WScript.Shell")
    wshShell.LogEvent 4, "Binary Rename detected" & vbcrlf & strPath & vbcrlf & "Original Name = " & strOrigName
End Function

Function WriteLogFile(strPath,strOrigName)
    dim dateTime
    dim objSysInfo, objFSO, objWmiLog
    dim strLogPath, strTime, strDate, strComputerName

    strLogPath = "C:\staging\wmilog.txt"

    Set dateTime = CreateObject("WbemScripting.SWbemDateTime")    
    dateTime.SetVarDate (now())
    strDate = YEAR(dateTime.GetVarDate (false)) & "-" & Right(String(2,"0") & Month(dateTime.GetVarDate (false)), 2) & "-" & Right(String(2, "0") & DAY(dateTime.GetVarDate (false)), 2)
    strTime = FormatDateTime(dateTime.GetVarDate (false),vbShortTime)
    
    Set objSysInfo = CreateObject("WinNTSystemInfo")
    strComputerName = objSysInfo.ComputerName

    Set objFSO = CreateObject("Scripting.Filesystemobject")
    Set objWmiLog = objFSO.OpenTextFile(strLogPath,8,True,0)
    objWmiLog.WriteLine strDate & "T" & strTime & "Z|" & strComputerName & "|Binary Rename detected|" & strPath & "|" & strOrigName
    objWmiLog.Close
End Function
'
}

$InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = $Class
    Arguments = $EventConsumerArgs
}

$Consumer = Set-WmiInstance @InstanceArgs

$FilterConsumerBingingArgs = @{
    Filter = $Filter
    Consumer = $Consumer
}

$InstanceArgs = @{
    Namespace = 'root/subscription'
    Class = '__FilterToConsumerBinding'
    Arguments = $FilterConsumerBingingArgs
}

# Register the alert
$Binding = Set-WmiInstance @InstanceArgs