WMI Forensics - Cheat Sheet
- Idan Buller
- Dec 8, 2021
- 1 min read
Updated: Dec 9, 2021
Intro
Windows Management Instrumentation (WMI) enables system administrators to perform tasks locally and remotely. From the perspective of red teaming WMI can be used to perform several activities such as lateral movement, persistence, situational awareness, code execution and as a command and control.
WMI as an attack vector is not new. It has been used to aid attacks within Microsoft networks since its invention. However, it has been increasingly weaponized in recent years, largely due to its small forensic footprint.
Terms & Meanings
Term | Meaning |
Event Consumer | A script or executable to run when a filter is triggered. |
Event Filter | A monitored condition that triggers an Event Consumer. |
CIM Repository | A database that stores WMI class instances, definitions, and namespaces. |
MOF | Managed Object Format file, used to define WMI classes to be inserted into the repository. |
WMI Processes
Process Name | Description |
wmic.exe | Command line tool for interacting with WMI locally and for remote systems. |
wmiprvse.exe | Listening service used on remote systems. |
scrons.exe | Script Consumer process that spawns child processes to run active script code (VBScript, JScript, etc). |
mofcomp.exe | MOF file compiler which inserts data into the repository. |
wsmprovhost.exe | Present on the remote system if PS Remoting was used. |
Windows Event ID’s
Event ID | Description |
4688 | Process Creation |
5860 | WMI Repository of Temporary Event Consumer |
5861 | WMI Subscription Created |
Files
File Path | Description |
C:\Windows\System32\wbem\Repository\OBJECTS.DATA | Objects managed by WMI |
C:\Windows\System32\wbem\AutoRecover | MOF files with #PRAGMA AUTORECOVER in the first line will be saved here in case the repo needs to be built again, establishing persistence |
Hunting
While WMI and PowerShell can be used for attacks, they equally can be used for defense. Native support for WMI and easy scalability make PowerShell an obvious choice for detecting attacks like WMI event consumers. We do not need fancy tools for detection of one of the stealthier WMI threats:
EXTRA
WMI Persistence Technique (via CMD)
Interaction with WMI can be performed through the command prompt as all Windows operating systems contain a command-line utility (WMIC). Execution of the following commands will create in the namespace of “root\subscription“ three events. The arbitrary payload will be executed within 60 seconds every time Windows starts.
Via Event Filter -
Via Event Consumer -
Via FilterToConsumerBinding -
Comments