Detecting & Removing an Attacker’s WMI Persistence

David French
Oct 9, 2018 · 4 min read
Image for post
Image for post

Windows Management Instrumentation (WMI) Event Subscription is a popular technique to establish persistence on an endpoint. I decided to spend some time playing with Empire’s WMI modules and analyzing the artifacts for detection opportunities. I also reviewed the PowerShell commands that can be used to view and remove WMI event subscriptions.

“Windows Management Instrumentation Event Subscription” is MITRE ATT&CK Technique T1084.

Attackers may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

What is WMI?

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components.”

An event filter is a WMI class that describes which events WMI delivers to an event consumer. An event filter also describes the conditions under which WMI delivers the events.

Configuring Sysmon Logging

Sysmon can be configured to log WmiEventFilter, WmiEventConsumer, and WmiEventConsumerToFilter activity and enable the detection of WMI abuse.

Image for post
Image for post
Sysmon Event IDs for WMI activity

Roberto Rodriguez’s (@Cyb3rWard0g) Sysmon configuration file will capture the above Event IDs.

Execute the following command to install Sysmon and apply a configuration file.

Establish Persistence

Let’s use Empire’s Invoke-WMI module to create a permanent WMI subscription and persist a stager on the victim endpoint.

Image for post
Image for post
Reviewing Empire’s WMI-related modules
Image for post
Image for post
Reviewing the options for Empire’s Invoke-WMI module
Image for post
Image for post
Running the module

Detection

Reviewing the Sysmon logs we can see that the Empire module:

  1. Registered a WMI event filter
  2. Registered a WMI event consumer
  3. Bound the event consumer to the event filter
Image for post
Image for post
Sysmon events logged after Empire Invoke-WMI module execution

The WMI event filter sets the conditions for the stager to execute, which includes references to the system’s uptime.

Image for post
Image for post
Sysmon Event ID 19: WmiEvent (WmiEventFilter activity detected)

The WMI event consumer contains the Empire stager in Base64-encoded form and is registered with the innocuous name, Updater when its default settings are used.

Image for post
Image for post
Sysmon Event ID 20: WmiEvent (WmiEventConsumer activity detected)

The WMI event consumer CommandLineEventConsumer.Name=\”Updater\" is bound to the event filter __EventFilter.Name=\”Updater\”

Image for post
Image for post
Sysmon Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)

Now that the event consumer is bound to the event filter, IF the event filter conditions are true THEN trigger the event consumer (the stager).

Eradication

The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence.

Image for post
Image for post
Using Autoruns to review WMI database entries
Image for post
Image for post
Using Autoruns to review content of the WMI database

Right-click the malicious WMI database entry and select Delete.

Alternatively, you can remove the WMI event subscriptions from the command line.

Use Get-WMIObject in PowerShell to review the WMI event filter, event consumer, and consumer filter to event filter binding. Thanks to Boe Prox (@proxb) for explaining these commands in detail on his blog.

Use Remove-WMIObject to remove all components of the WMI persistence.

Image for post
Image for post
Removing WMI event subscriptions

Run Autoruns again to verify that the persistence was removed.

Image for post
Image for post

Threat Hunting | Threat Detection | Malware Analysis |…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store