This document provides an overview of Windows Management Instrumentation (WMI) and techniques for abusing WMI for offensive operations. It begins with introducing the author and includes an outline of topics to be covered. It then defines WMI and compares it to SQL databases. The document discusses useful WMI queries, using WMI for user hunting, creating WMI event subscriptions, duplicating WMI classes, and hiding WMI methods. It also covers storing files in WMI, creating custom WMI providers, and registering WMI providers without triggering event log warnings. In summary, the document outlines various techniques for abusing WMI for offensive purposes such as persistence, fileless execution, and covert command and control.
3. 3 Confidential & Proprietary
WHAT IS WMI?
Windows Management Instrumentation
Present since Windows 95
It shows
Probably familiar with some WMI functions
Win32_Process -> Create()
wmic.exe process call create …
Invoke-WmiMethod –class win32_process –name create –argumentlist …
17. 17 Confidential & Proprietary
INVOKE-WMIFS
1. Create a WMI class to store file in
New-WMIFSClass
2. Read in file and base64 encode and encrypt
ConvertTo-Base64 & ConvertTo-EncryptedText
3. Slice the base64 encoded string and insert into WMI
Invoke-InsertFileThreaded
4. Retrieve the file and reassemble
Invoke-RetrieveFile
5. Base64, decrypt file, and optionally write to disk
ConvertFrom-Base64 & ConvertFrom-EncryptedText
Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
20. 20 Confidential & Proprietary
WMI PROVIDERS
These are the DLL’s behind the scenes that do all the work
Host the methods and properties that we call
cimwin32.dll
What about building our own provider?
Build the provider
Register the provider
Access the provider
21. 21 Confidential & Proprietary
HOW TO CREATE A PROVIDER
WmiPrvSe.exe can host the Common Language Runtime (CLR)
Opens up .Net for use in WMI
Add a few decorators
[ManagementEntity]
[ManagementTask]
Remove calls to stdin, stdout, and stderr
PowerShell Command Execution
https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider
ShellCode Runner
https://github.com/subTee/EvilWMIProvider
23. 23 Confidential & Proprietary
WMI BACKDOOR
1. Base64 Encode Payload
2. Store Payload as Base64 Encoded String in WMI
3. Extract as a byte array and then inject the payload
Supported Payloads:
ShellCode, Dll, PE
31. 31 Confidential & Proprietary
INSTALLUTIL.EXE
PS C:> InstallUtil.exe assembly.dll
PS C:> InstallUtil.exe /u assembly.dll
In the Windows Event Log this triggers a warning.
32. 32 Confidential & Proprietary
.NET MANAGEDINSTALLERCLASS
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@( "C:assembly.dll")
)
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@(“/u”, "C:assembly.dll")
)
The PS version and .net assembly version need to match.
In the Windows Event Log this also triggers a warning.
34. 34 Confidential & Proprietary
MANUAL REGISTRATION
What if we were to register the WMI Provider purely through WMI calls
This does not come close to fitting on a slide
1. Create the WMI_extension Class
2. Create an instance of WMI_extension for the Win32_Implant Class
3. Create an instance of __InstanceProviderRegistration for WMI_extension
4. Create an instance of __MethodProviderRegistration for WMI_extension
5. Create the Win32_Implant Class
6. Register WMI_extension in HKCR and HKLM
36. 36 Confidential & Proprietary
MANUAL REGISTRATION
Why would I want to do that?
Manually registering a WMI provider allows us to bypass calling any executables on the remote
system
Remember those pesky Windows Event Logs warnings?
Those are caused by the default hosting model LocalSystemHost
There are many, many others to choose from.
Win32_Process -> Create() uses NetworkServiceHost
Wanna guess that that HostingModel doesn’t do?
39. 39 Confidential & Proprietary
Applications and Service Logs / Microsoft / Windows / WMI Activity
https://msdn.microsoft.com/en-us/library/aa826686(v=vs.85).aspx