Permanent WMI Event Subscriptions, the subtopic of WMI that PowerLurk is built upon, are composed of three interconnected elements: a trigger ( _EventFilter class), an action ( _EventConsumer class), and an association element that binds a trigger and an action to each other ( _FilterToConsumerBinding class). See FLARE’s white paper for more information on other methods. PowerShell seems to provide the most versatile and automated way to do so however, I did use Wbemtest during testing. Sidenote: There are many ways to interact with WMI. A categorized list of WMI classes can be found here. MSDN is one of the best ways to learn more about WMI classes, their purpose, properties, etc. For example, running processes are represented as instances of the Win32_Process class (Figure 1).
CACHEMAN WMI EVENTS WINDOWS
There are classes for seemingly every component of the Windows operating system. The most prominent namespace, and the default with WMI/CIM PowerShell cmdlets, is root\cimv2. Like OOP, WMI centers around a hierarchical architecture of namespaces, each of which contains a number of WMI classes. Speaking from my own experience, WMI can be daunting to the uninitiated, but if you have an understanding of object-oriented programming (OOP) you will feel right at home. Other references used include ‘s Uproot project, ‘s WMI Backdoor PoC, and MSDN.īefore diving into function explanations and usage examples, it’s important to understand what exactly is going on under the hood. If you are interested in going beyond what is covered here, FLARE has an excellent white paper titled “ Windows Management Instrumentation (WMI) Offense, Defense, and Forensics ” that I used as a major reference.
PowerLurk is a group of PowerShell functions that expand upon current PowerShell WMI cmdlets and to simplify WMI event subscription. I took what I learned there, gathered more information from resources below and started working on PowerLurk. I was recently taken to school on WMI Event Subscriptions by in a class he and taught called Advanced Powershell for Offensive Operations. I saw the potential, but my comprehension was lacking and a comprehensive offensive WMI toolset did not exist. Since watching FireEye FLARE’s ‘ WhyMI So Sexy?‘ at Derbycon last September, I have wanted to better understand WMI Events and apply them to offensive security operations.
0 kommentar(er)
