WMI Filter/Query/Consumer

Windows Management Instrumentation (WMI) is a Microsoft technology that provides a unified way of managing Windows operating systems and applications. WMI is a management infrastructure that is built into Windows operating systems, and it provides a standardized interface for accessing system management information. WMI is used by system administrators to gather information about the state of their systems, to automate system management tasks, and to perform remote administration. In this blog post, we will take a closer look at what WMI is, how it works, and some examples of its normal and malicious use cases.

What is Windows Management Instrumentation (WMI)?

WMI is a technology that enables developers and system administrators to access and manipulate information about Windows operating systems and applications through a standardized interface. WMI provides a set of objects and methods that can be used to query and manage system resources, such as hardware devices, software applications, and network settings. WMI also provides an infrastructure for monitoring and controlling system events and processes, such as system startup, shutdown, and user logon.

The WMI information is stored in a file called Objects.DATA. This can be found at:

%SYSTEMROOT%\system32\wbem\Repository\OBJECTS.DATA

OBJECTS.DATA can be a valuable source of information for system administrators and security professionals, as it provides a list of WMI classes that can be used to gather information, execute code, and create persistence mechanisms for both Normal and Malicious Purposes.

How does WMI work?

WMI is based on the Common Information Model (CIM), which is a standard for representing management information in a consistent way. CIM defines a set of classes, properties, and methods that can be used to access and manipulate management information. WMI provides a CIM-based interface for accessing management information on Windows systems. WMI consists of three main components: the WMI service, the WMI repository, and the WMI provider.

The WMI service is the core component of WMI, and it provides the interface for accessing and manipulating management information. The WMI service runs as a system service, and it is responsible for executing WMI queries and processing WMI events.

The WMI repository is a database that stores the CIM objects that are used by WMI. The WMI repository contains information about system resources, such as hardware devices, software applications, and network settings. The WMI repository also contains information about system events and processes, such as system startup, shutdown, and user logon.

The WMI provider is a software component that enables access to management information from a specific source, such as a hardware device or a software application. WMI providers are typically provided by hardware and software vendors, and they enable access to management information about their products through the WMI interface.

Normal Use Case

WMI is widely used by system administrators and developers to automate system management tasks, such as monitoring system performance, managing software installations, and configuring network settings. Some examples of normal use cases for WMI include:

•     System monitoring and troubleshooting - WMI can be used to monitor system performance, such as CPU usage, memory usage, and disk space usage. WMI can also be used to diagnose system problems, such as application crashes and system errors.

•     Software management - WMI can be used to install, uninstall, and update software applications on remote computers. WMI can also be used to query information about installed software, such as version numbers and installation dates.

•     Network management - WMI can be used to configure network settings, such as IP addresses, DNS servers, and network adapters. WMI can also be used to monitor network traffic and network performance.

Malicious Use Case

Unfortunately, WMI can also be used for malicious purposes, such as gathering sensitive information, executing malicious code, and creating persistence mechanisms. Some examples of malicious use cases for WMI include:

•     Information gathering - WMI can be used to gather information about a system, such as installed software, network settings, and user accounts. This information can be used by attackers to identify vulnerabilities and plan further attacks.

•     Code execution - WMI can be used to execute arbitrary code on a remote system. This is done by creating a new WMI class that contains the code to be executed, and then registering that class with the WMI provider. Once the class is registered, the attacker can use WMI to execute the code on the remote system. This technique is known as WMI hijacking and it has been used in several high-profile attacks, such as the WannaCry ransomware attack.

•     Persistence mechanisms - WMI can be used to create persistence mechanisms that enable an attacker to maintain access to a system even after it has been rebooted or patched. This is done by creating a new WMI class that contains the code to be executed at system startup, and then registering that class with the WMI provider. Once the class is registered, the code will be executed every time the system starts up, giving the attacker persistent access to the system.

Parsing With PyWMIPersistenceFinder.py

PyWMIPersistenceFinder.py is a Python script that can be used to search for persistence mechanisms in the WMI repository. The script takes a path to the OBJECTS.DATA file as input, and it searches the WMI repository for classes that contain specific keywords, such as "startup" or "autorun". PyWMIPersistenceFinder.py can be a useful tool for identifying persistence mechanisms that have been created using WMI.

Keep in mind it could still be using Python2.

# Navigate to the directory where PyWMIPersistenceFinder.py is located
cd /path/to/PyWMIPersistenceFinder

# Run the script with the Python interpreter and provide the path to the OBJECTS.DATA file
python PyWMIPersistenceFinder.py /path/to/OBJECTS.DATA
    





Getting WMI using PoSH

    
 PowerShell can also be used to search for
                persistence mechanisms in the WMI repository. The Get-WMIObject cmdlet can be used to query the WMI
                repository for specific classes and properties. 
    


    
For example, the following PowerShell
                command can be used to list the WMI:
    


    

        

            
  Get-WMIObject -Namespace root\Subscription -Class __EventFilter
 Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
 Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
        
    
    

Conclusion

While WMI is a powerful tool for system administrators and developers, it can also be used for malicious purposes. Attackers can use WMI to gather information, execute code, and create persistence mechanisms. It's important for system administrators to be aware of the potential for misuse and to take steps to secure their systems against WMI-based attacks.

Additional Resources:

• SysInternal - AutoRuns
• GitHub - PyWMIPersistenceFinder.py
• 13Cube - The ABC's of WMI