WMI (“Windows Management Instrumentation”)[1] is, like Microsoft says, “the infrastructure for management data and operations on Windows-based operating systems”. Personally, I like to make a (very) rough comparison between WMI and SNMP: You can query information about a system (read) but also alter it (write). WMI is present on Windows systems since the version Windows 2000. As you can imagine, when a tool is available by default on all systems, it’s a good opportunity for attackers to (ab)use of its features. Think about tools like bitsadmin.exe or certutil.exe that are used by many malicious scripts. Today, WMI seems to be more and more used in many scenarios. Here are two examples:

I found a malicious Powershell script that uses WMI to extract the name of the installed antivirus and later exfiltrate it (so the attacker gets an overview of the infected system). It’s very simple:

$AV = (WMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get displayName /format:csv)|Out-String

The above command generates an output looks like:

PS C:Usersisc> (WMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntivirusProduct Get displayname /format:csv)

Node,displayName

WIN10ESX,Windows Defender

‘WMIC’ is the command line tool provided by Microsoft to interact with the WMI service.

The second example is more interesting. In a recent article on the ESET blog[2], researchers explained how WMI was used to implement persistence after a system has been infected by Turla. The malware uses a WMI feature called an “event consumer” which is used to trigger a script when an event occurred[3]. WMI can monitor a system and extract a lot of information like the system uptime. The created event consumer launches a script when the update is between 300 and 400 seconds. See the ESET article for more details.

From a blue team perspective, how to detect this kind of malicious activity? Does WMI generate events on a stock Windows? By default, WMI events are logged in the following event channel:

Application & Service Logs / Microsoft / Windows / WMI-Activity / Operational

When you query the system via WMI, an event ID 5857 is created:

  
    
    5857
    0
    0
    0
    0
    0x4000000000000000
    
    4211
    
    
    Microsoft-Windows-WMI-Activity/Operational
    WIN10ESX
    
  
  
    
    CIMWin32a
   0x0
    wmiprvse.exe
    27808
    %systemroot%system32wbemwmipcima.dll
    
  

This is not very relevant because WMI usage can be huge and will generate some noise but it will not return the creation of a new consumer, except if the operation failed. If you want more details about the WMI activity on a system, you can use ETW or “Event Tracing for Windows”[4]. This feature of the Windows API generates specific logs called Event Trace Logs (ETL) which contain binary data. To read them, you need a specific tool like Windows Event Viewer, TraceFmt or Netmon.

To enable the event tracing of WMI, you can use the command line:

PS C:Usersisc> wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true

Or, with the Event Viewer GUI: Select “Show Analytics and Debug Logs” in the View menu, then go to the event channel, select “Trace”, right-mouse button and select “Enable Log”.

Now, you’ll be able to see the WMI queries:

  
    
    11
    0
    4
    0
    0
    0x8000000000000000
    
    4
    
    
    Microsoft-Windows-WMI-Activity/Trace
    WIN10ESX
    
  
  
    
    {00000000-0000-0000-0000-000000000000}
    60973
    60974
    Start IWbemServices::ExecQuery - rootSecurityCenter2 : SELECT displayName FROM AntivirusProduct
    WIN10ESX
    WIN10ESX
    WIN10ESXisc
    27608
    132043098985649148
    .rootSecurityCenter2
    true
    
  

Here is an example of an event consumer creation:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  
    <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" /
    11
    0
    4
    0</Task
    0
    0x8000000000000000
    
    3
    
    
    Microsoft-Windows-WMI-Activity/Trace
    WIN10ESX
    <Security UserID="S-1-5-18" /
  
  
    
    {B394F6AE-0B4E-0000-CA80-E8B34E0BD501}
    61157
    61159
    Start IWbemServices::PutInstance - rootsubscription : __EventFilter.Name="Test-Consumer"
    WIN10ESX
    WIN10ESX
    WIN10ESXisc
    27816
    132043211668214516
    .rootsubscription
    true
    
  

Keep in mind that ETW is a debugging feature and that extra logs can generate a lot of noise and will also stop collecting data after they reached their default limit. As you can see, the limit of events is low and, once the limit reached, the collection process stops:

More information about WMI tracing is available here[5].

[1] https://docs.microsoft.com/en-us/windows/desktop/wmisdk/wmi-start-page
[2] https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
[3] https://docs.microsoft.com/en-us/windows/desktop/wmisdk/receiving-events-at-all-times
[4] https://docs.microsoft.com/en-us/windows/desktop/etw/event-tracing-portal
[5] https://docs.microsoft.com/en-us/windows/desktop/wmisdk/tracing-wmi-activity

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.