Came across this puppy that used Powershell via WMI to install a backdoor and subsequently use that backdoor for further malicious activities: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
That puppy could be a biter alright. Pretty decent read up. Thanks. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
Yeah, I found it "illuminating" that FireEye that has it own heavy duty commercial security solutions was stating in effect that the only way you can be sure you having been nailed by remote PowerShell malware is examine your Powershell logs. There have been numerous recent Windows remote execution vulnerabilities exposed that show that all that is needed to exploit these is for the attacker to gain admin privileges on local machine. Unfortunately, that is far to easy to accomplish on current Win OS versions.
I enabled logging right after following your link on that and happened on to it too. At least now and for the time being for better or worse all PS commands are resting comfortably in the system drive folder now. Very useful feature. Available notice should be shared and come to light more often instead of having to stumble on these things after some major event.
Came across this BlackHat publication relevant to WMI based malware similar to this attack: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf BTW - I was helping someone with ActiveScriptEventConsumer malware in another forum, so it still very much is being deployed.
Here's another WMI malware incident in which I give the developer an A+ for creativity: https://www.secureworks.com/blog/wmi-persistence
