Persistence - WMI Event Subscription
WMI (Windows Management Instrumentation) enables system management to occur locally and remotely. WMI can be used to achieve a variety of situations such as persistence, lateral movement, code execution, and command and control (C2). The fact that WMI is available in almost all Windows operating systems can be used by attackers to carry out activities on the system.
With the WMI Event Subscription technique, permanence in the system can be achieved by determining the event that will trigger a specific event, such as a payload. In order to achieve this, it is necessary to associate the two classes with each other. These;
- Event Filter: This is the query that selects the trigger for the event to be performed and creates a filter. The event filter determines the situations in which the trigger will be executed using the WQL (a SQL-like query language) query language.
- Event Consumer: Performs the action when the event is triggered. (Payload operation etc.)
- FilterToConsumerBinding: Connects Filter and Consumer classes.
Various techniques and tools are used to ensure permanence in the Windows system using WMI. Empire, PoshC2, PowerSploit and Powershell scripts, Metasploit, and C# tools can be used to automate this technique and create permanence by creating different triggers and code execution actions.
Persistence - When we consider WMI Event Subscription using C#;
Github address where the code is located: WMIPersistence
First, a payload in raw format with payload64.bin extension is created using Msfvenom.
We convert the previously produced payload to VBS format with the SharpShooter tool.
- python2.7 SharpShooter.py –stageless –dotnetver 2 –payload vbs –output implantvbs –rawscfile payload64.bin
Then we encode the payload file into base64 format.
- base64 -i output/implantvbs.vbs
In this section, the code is compiled after placing the payload in base64 format encoded into the C# code.
When this code is run after compiling, it is converted to exe format.
After this exe is run, it places the relevant base64 script under the __EventFilter and EventConsumer classes.
Finally, every time notepad.exe, the application specified in the code, is run, the payload will be executed and a communication channel will be opened to the attacker. Listening can be done when the exe is run using Metasploit.
– In order to detect any attack using WMI, logs are generally examined with event viewer. Likewise, we can detect some Event IDs by examining them in group policies. Let's look at some examples of these:
- To follow the WMI log, we need to follow Event ID 5861 from the Event Viewer tool. This section contains activities related to the WMI attack and shows that it was triggered by vbscript.
- When communication is established with the attacker using VBScript triggered under ActiveScriptEventConsumer, a process is recorded. This process is scrons.exe (Event ID: 5857). In short, the script written in the WMI database is triggered by scrcons.exe, so it must be followed.
In order to monitor Scrons.exe, you must first enable Audit Process Creation (Event ID: 4688) logs.
- Powershell running on the system with Powershell Script Block Logging
It allows you to see the content of the scripts in the logs.
- Command Line Auditing, when a process is added to the Process creation logs, it adds a command line to its content when it is recorded. In such cases, when we open Command Line Auditing, which command is the WMI script?
We can see that it has been added using the line
– In non-SIEM systems, it is also detected via sysmon, which is a free tool, as an alternative method. By monitoring the Event ID value 1,19,20 and 21 in WMI-based logging in Sysmon, we can detect attackers who are trying to add data to critical areas in the WMI database.
– Mofcomp.exe, the WMI command line tool, should be followed.
– Rules can be written to detect via SIEM. Wbem should be followed.
– A specific port must be specified for WMI protocol use. This port can be detected by monitoring remote access.
– Since WMI can be accessed by attackers, it may be necessary to restrict the use of WMI. Defining it only for authorized users within the organization will reduce negative situations.
– When I run the C# script in Crowdstrike, it is observed that it quarantines the WMIPersistence.exe file and prevents it from running.
- Some sigma rules used in WMI Event Subscription cases are as follows;