WINDOWS MANAGEMENT INSTRUMENTATION (WMI)
Windows Management Instrumentation (WMI) is a set of features from Microsoft and a built-in technology in Windows designed for fast and efficient management when it comes to Windows systems, allowing better management of computers. WMI is Microsoft's implementation of the industry standard Web Based Enterprise Management (WBEM) protocol. WMI has both scriptable and programmable interfaces.
WMI; It is a technology that allows objects to be controlled in Windows operating systems and performs operations and management functions in the operating system. It can perform all these tasks thanks to its nearly 900 classes. Each of these classes contains functions prepared for various purposes. With these functions, WMI can perform many functions. WMI provides a uniform access mechanism to a large collection of Windows administrative data and methods. WMI has the ability to do many things, such as collecting the states of computers, configuring settings, running applications, and executing code.
Namespaces: The namespace acts as a container for WMI-related classes. To give an example of this, we can think of it as a "Picture Folder" containing pictures. All namespaces are located under the ROOT namespace. All namespaces derive from the ROOT namespace, and Microsoft uses ROOT\CIMV2 as the default namespace when querying objects from a scripting language when a namespace is not explicitly specified.
Classes: A WMI class represents a specific element on your system. Classes are used to manage operations in the operating system. Classes contain events and properties that allow the actual setting, inspection, and capture of data by WMI providers to pass the data to WMI services.
Frequently used WMI classes:
- Get-WmiObject -Class Win32_BIOS
- Get-WmiObject -Class Win32_ComputerSystem
- Get-WmiObject -Class Win32_OperatingSystem
Clients: Clients interact with WMI classes to query data and perform various operations. They are built-in functions. They come embedded in Microsoft operating systems. No tools are required to operate it.
WMIC.exe is a built-in Microsoft program that allows command-line access to Windows Management Instrumentation. Using this tool, administrators can query the operating system for detailed information about installed hardware and Windows settings, run administrative tasks, and even run other programs or commands.
PowerShell is a powerful scripting language with rich functionality for interacting with WMI. Starting with PowerShell version 3, it can be used to interact with WMI. PowerShell can access WMI directly, so command lines can be written to query hardware components, check system health, or automate configuration.
Windows Scripting Host (WSH)
It allows you to run scripts from both the Windows desktop and the command prompt. It is built into all Microsoft operating systems. WSH is ideal for non-interactive scripting needs such as login scripting, administrative scripting, and machine automation. Since it has small memory, WSH is suitable for performing simple and fast tasks. By default, there are two scripting languages supported, these are JScript And VBScript'truck. In fact, you can open any text editor and write scripts and save them as *.vbs or *.js.
Wbemtest.exe is a WMI tool with an interface. It can enumerate object instances, perform queries, log events, modify WMI objects and classes, and call methods both locally and remotely.
Winrm.exe can be used to enumerate WMI object instances, invoke methods, and create and remove object instances on local and remote machines running the WinRM service. winrm.exe can also be used to configure WinRM settings.
Windows Remote Shell (WinRS) is a command line tool. If WinRM is enabled, it can be used to execute commands remotely on a host.
Query Languages: WQL (Windows Management Instrumentation Query Language) is available to query WMI services. WQL is simply SQL syntax for WMI.
WMI Repository: They are databases that store all static data of classes. The primary function of the WMI database is to provide infrastructure management services for computing operations management. Repositories store classes, structure, namespaces, etc. It is defined by MOF (Managed Object Format) files that define it. Database files;
%WINDIR%\System32\Wbem\Repository It is located under the directory.
MOF Files: MOF files contain WMI namespaces, classes, providers, etc. used to define. Files with the .mof extension are located under the %WINDIR%\System32\Wbem directory. MOF Files are the format in which objects in the WMI database are kept.
WMI Providers: WMI Providers make available information about objects that can be managed by Windows. It can be called the backbone of WMI. Everything defined in the repositories can be accessed with the help of WMI providers. The provider provides data from an object to WMI and processes messages from WMI to the object. The WMI provider consists of a DLL and MOF file that defines classes.
WMI Service (winmgmt): The WMI service is the implementation of the WMI system in Windows and is a process that acts as an intermediary between WMI providers, WMI repository, and managing applications. The operating system provides a common interface and object model for accessing management information about devices, applications, and services. WMI is a key component of the Windows operating system that allows developers and IT administrators to write scripts and applications to automate certain tasks. It runs automatically at startup.
WMI supports two protocols for connecting to remote computers:
- DCOM (Distributed COM)
- WinRM (Windows Remote Management)
DCOM is an older technology and is not preferred today. Although it is enabled by default on many servers, it is considered outdated.
WinRM is a modern web service-based protocol and was introduced in PowerShell 3. Recently WinRM has replaced DCOM as the recommended remote administration protocol for Windows. It is more reliable and faster. WinRM is built on the Web Services Management (WSMan) specification. In order to communicate with the other computer, the same ports and WMI service must be open.
WMI is an extremely powerful tool for attackers. There are a multitude of WMI objects, methods, and events that can be extremely powerful for performing everything from discovery, AV detection, code execution, lateral movement, secret data storage, and persistence.
Apart from its good use, WMI can also be used maliciously. Attackers often exploit WMI;
- To ensure permanence in the target system,
- It can be abused to run malicious scripts and more.
Additionally, WMI is available in all current Windows operating system versions, so the wide spread of threat actors' targets makes this issue even more dangerous. On the other hand, since it is difficult to detect malicious use of this technology, it is inevitable for them to choose it.
PREVENTING WMI ATTACKS
- System administrators can disable the WMI service. It is important for an organization to use WMI, but may need to consider the undesirable side effects of stopping the WMI service.
- WMI's ports may be blocked. Disabling the ability to connect to WMI from remote devices blocks WMI remotely but allows the service to run locally. This suggested solution is better than disabling it completely.