WMI Sub Scription - ties2/Red-Team GitHub Wiki
Making access permanent is one of the key goals of red teaming. Attackers aim to establish persistence in the target environment to maintain access to sensitive information or systems for a longer period. There are various methods to achieve persistence, and one of them is WMI-Subscription. This essay will discuss in detail the WMI-Subscription technique and its use in achieving permanent access, along with examples and sources.
Windows Management Instrumentation (WMI) is a powerful administrative tool in the Windows operating system, which allows management and monitoring of system resources through a unified and consistent interface. WMI-Subscription is a feature of WMI that enables clients to receive notifications when certain events occur on the system, such as a process starting or stopping or a file being created or modified. The clients register with the WMI-Subscription service, and the service sends notifications to them whenever the specified event occurs.
WMI-Subscription is a powerful tool that can be exploited by attackers to achieve persistence in the target environment. Attackers can create a subscription for a specific event, such as the creation of a new user account, and receive notifications whenever the event occurs. Once the attacker has received the notification, they can execute a payload to establish persistence in the target environment. The payload can be a backdoor, a remote access tool, or any other malicious software that enables the attacker to maintain access to the system.
The WMI-Subscription technique is an effective method for attackers to achieve persistence because it is difficult to detect and can survive system reboots and software updates. Once the subscription is created, the WMI-Subscription service will continue to send notifications to the attacker, even if the system is rebooted or software updates are installed. Additionally, WMI-Subscription operates at the system level, which means that it can bypass user-level security controls, making it difficult to detect and remove.
To demonstrate the use of WMI-Subscription for achieving persistence, let us consider the following scenario. An attacker gains access to a target system through a spear-phishing attack and wants to establish persistence in the target environment. The attacker creates a WMI-Subscription for the event of a new user account being created on the system. Whenever a new user account is created, the WMI-Subscription service sends a notification to the attacker's system. The attacker then executes a payload that creates a backdoor on the system, which enables them to maintain access to the system even if the user account is deleted.
There are several tools and frameworks available for attackers to exploit the WMI-Subscription feature, such as Metasploit, PowerSploit, and WMImplant. These tools provide pre-built scripts and modules that can be used to create and manage WMI-Subscription events and payloads. For example, PowerSploit provides a module called "Invoke-WMIEventSubscription" that can be used to create a WMI-Subscription for a specified event, such as the creation of a new user account.
Defending against WMI-Subscription attacks can be challenging, as the feature is an essential part of the Windows operating system and disabling it can cause functionality issues. However, there are several best practices that can be implemented to reduce the risk of WMI-Subscription attacks. These include monitoring WMI-Subscription activity, restricting the creation of new WMI-Subscription events, and implementing strict access controls for WMI-Subscription events.
In conclusion, the WMI-Subscription technique is a powerful tool that can be used by attackers to achieve persistence in the target environment. The technique exploits the WMI-Subscription feature of the Windows operating system to create a subscription for a specific event and receive notifications whenever the event occurs. Attackers can use WMI-Subscription to execute a payload that establishes persistence on the system. Defending against WMI-Subscription attacks