This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.
4. 4 Confidential & Proprietary
WHAT IS WMI?
Windows Management Instrumentation
Present since Windows 95
It shows
Probably familiar with some WMI functions
Win32_Process -> Create()
wmic.exe process call create …
Invoke-WmiMethod –class win32_process –name create –argumentlist …
16. 16 Confidential & Proprietary
INVOKE-WMIFS
1. Create a WMI class to store file in
New-WMIFSClass
2. Read in file and base64 encode and encrypt
ConvertTo-Base64 & ConvertTo-EncryptedText
3. Slice the base64 encoded string and insert into WMI
Invoke-InsertFileThreaded
4. Retrieve the file and reassemble
Invoke-RetrieveFile
5. Base64, decrypt file, and optionally write to disk
ConvertFrom-Base64 & ConvertFrom-EncryptedText
Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
19. 19 Confidential & Proprietary
WMI PROVIDERS
These are the DLL’s behind the scenes that do all the work
Host the methods and properties that we call
cimwin32.dll
What about building our own provider?
Build the provider
Register the provider
Access the provider
20. 20 Confidential & Proprietary
HOW TO CREATE A PROVIDER
WmiPrvSe.exe can host the Common Language Runtime (CLR)
Opens up .Net for use in WMI
Add a few decorators to a class and your done
[ManagementEntity]
[ManagementTask]
https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
25. 25 Confidential & Proprietary
BETTER WMI BACKDOOR
Store Payload as Base64 Encoded String in WMI, and then inject the payload
ShellCode Runner
Dll Injector
PE Injector
34. 34 Confidential & Proprietary
INSTALLUTIL.EXE
PS C:> InstallUtil.exe assembly.dll
PS C:> InstallUtil.exe /u assembly.dll
In the Windows Event Log this triggers a warning.
37. 37 Confidential & Proprietary
.NET MANAGEDINSTALLERCLASS
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@( "C:assembly.dll")
)
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@(“/u”, "C:assembly.dll")
)
The PS version and .net assembly version need to match.
In the Windows Event Log this also triggers a warning.
40. 40 Confidential & Proprietary
MANUAL REGISTRATION
What if we were to register the WMI Provider purely through WMI calls
This does not come close to fitting on a slide
1. Create the WMI_extension Class
2. Create an instance of WMI_extension for the Win32_Implant Class
3. Create an instance of __InstanceProviderRegistration for WMI_extension
4. Create an instance of __MethodProviderRegistration for WMI_extension
5. Create the Win32_Implant Class
6. Register WMI_extension in HKCR and HKLM
43. 43 Confidential & Proprietary
MANUAL REGISTRATION
Why would I want to do that?
Manually registering a WMI provider allows us to bypass calling any executables on the remote
system
Remember those pesky Windows Event Logs warnings?
Those are caused by the default hosting model LocalSystemHost
There are many, many others to choose from.
Win32_Process -> Create() uses NetworkServiceHost
Wanna guess that that HostingModel doesn’t do?