Detecting & Removing an Attacker’s WMI Persistence

David French
Oct 9, 2018 · 4 min read

What is WMI?

WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components.”

Configuring Sysmon Logging

Sysmon can be configured to log WmiEventFilter, WmiEventConsumer, and WmiEventConsumerToFilter activity and enable the detection of WMI abuse.

Sysmon Event IDs for WMI activity
sysmon.exe -i -c .\config_file.xml 

Establish Persistence

Let’s use Empire’s Invoke-WMI module to create a permanent WMI subscription and persist a stager on the victim endpoint.

Reviewing Empire’s WMI-related modules
Reviewing the options for Empire’s Invoke-WMI module
Running the module

Detection

Reviewing the Sysmon logs we can see that the Empire module:

  1. Registered a WMI event consumer
  2. Bound the event consumer to the event filter
Sysmon events logged after Empire Invoke-WMI module execution
Sysmon Event ID 19: WmiEvent (WmiEventFilter activity detected)
Sysmon Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Sysmon Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)

Eradication

The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence.

Using Autoruns to review WMI database entries
Using Autoruns to review content of the WMI database
# Reviewing WMI Subscriptions using Get-WMIObject
# Event Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter “Name=’Updater’”
# Event Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter “Name=’Updater’”

# Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter “__Path LIKE ‘%Updater%’”
# Removing WMI Subscriptions using Remove-WMIObject
# Event Filter
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter “Name=’Updater’” | Remove-WmiObject -Verbose
# Event Consumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter “Name=’Updater’” | Remove-WmiObject -Verbose

# Binding
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter “__Path LIKE ‘%Updater%’” | Remove-WmiObject -Verbose
Removing WMI event subscriptions

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics

David French

Written by

Threat Hunting | Threat Detection | Malware Analysis | Forensics

Threat Punter

Threat Hunting | Threat Detection | Malware Analysis | Forensics