WMI - Event Subscription

Overview

Windows Management Instrumentation (WMI) allows, through Event Subscription, to maintain persistence on a Windows system. Permanent WMI event subscriptions can be configured to persist across system reboots.

Permanent event subscriptions are composed of:

• An event filter (__EventFilter ), which is the event of interest that will trigger the consumer. Such event can be, for example, a logon success or system startup.

• An event consumer, which is the action to perform upon trigger of the event filter.

  Five Consumer classes are available:

  • The ActiveScriptEventConsumer class that run arbitrary VBScript or JScript code.

  • The CommandLineEventConsumer class that run an arbitrary system command.

  • The LogFileEventConsumer class that write an arbitrary string to a text-based log file.

  • The NtEventLogEventConsumer class that write an arbitrary Windows ETW event.

  • The SMTPEventConsumer class that send an email.

• A filter to consumer binding (FilterToConsumerBinding) which is the registration mechanism binding an event filter to an event consumer.

WMI Event Subscription can be of two types:

• Temporary: only active as long as the process that created the subscription is active and run under the privilege of the creating process.

• Permanent: stored in the CIM database on disk and run under NT AUTHORITY\SYSTEM privileges.

WMI repository files

The persistent WMI Event Subscription are written to disk in the (undocumented) WMI repository files under %SystemRoot%\System32\wbem\Repository\ or %SystemRoot%\System32\wbem\Repository\FS\:

• OBJECTS.DATA: contains the CIM objects with, among other things, the event subscriptions data (event consumer, filter, and filter to consumer binding).

• INDEX.BTR: paged file in B-tree structure, “used to efficiently lookup CIM entities in the objects.data file”.

• MAPPING<1-3>.MAP: correlate / map pages from OBJECTS.DATA and INDEX.BTR.

All three files are required to properly conduct forensics analysis on WMI persistence.

Tool(s)

Live forensics

The SysInternals Autoruns (GUI) and AutorunsC (CLI) utilities can be used to detect (and delete) WMI-related persistence.

The WMI event subscriptions can also be enumerated with the PowerShell cmdlet Get-WMIObject:

ForEach ($NameSpace in "root\subscription","root\default") { Get-WMIObject -Namespace $Namespace -Query "SELECT * FROM __EventFilter" }

ForEach ($NameSpace in "root\subscription","root\default") { Get-WMIObject -Namespace $Namespace -Query "SELECT * FROM __EventConsumer" }

ForEach ($NameSpace in "root\subscription","root\default") { Get-WMIObject -Namespace $Namespace -Query "SELECT * FROM __FilterToConsumerBinding" }

WMI repository files parsing

WMI Event Subscription data can be extracted from OBJECTS.DATA files using the PyWMIPersistenceFinder Python script (that rely on regexes to extract the data):

PyWMIPersistenceFinder.py "<OBJECTS.DATA_FILE>"

If a deeper analysis is required, for example if a consumer reference other WMI objects, python-cim can be leveraged to extract data from the WMI repository:

python3 samples/dump_class_layout.py win7 "<WMI_REPOSITORY_FOLDER>" "<ROOT\cimv2 | WMI_NAMESPACE>" "<WMI_CLASS_NAME>"

References

• FireEye - William Ballenthin, Matt Graeber, Claudiu Teodorescu - WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND FORENSICS

• Network Security Ninja - WMI Forensics

• SANS - Chad Tilbury - Investigating WMI Attacks

• darkoperator - Carlos PEREZ - Basics of Tracking WMI Activity