What is WMI Persistence Attack and How to detect them using PowerShell?

A Windows Management Instrumentation (WMI) is a powerful feature in Windows, and it’s a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI allows for the management of data and operations on Windows-based operating systems, providing a standardized way for systems, applications, and network resources to interact with one another.

Since it’s a Windows feature, malware authors are attempting to bypass its techniques by using native scripting languages like VBScript or PowerShell.

What is WMI Persistence Attack?

A WMI (Windows Management Instrumentation) persistence attack is a sophisticated type of cyber attack in which an attacker exploits WMI to maintain long-term access to a compromised system. As we know, WMI is a powerful Windows feature used for system management, allowing administrators to automate tasks and gather information about the operating system. 

However, attackers can also abuse these capabilities to achieve persistence, making their presence on the system more difficult to detect and remove. Let’s try to identify signs of WMI attack techniques using PowerShell.

How to Detect the WMI Attacks Using PowerShell?

• WMI Event Subscription Persistence
  Attackers may create permanent event subscriptions to maintain persistence on a system.

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter
Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding

Reference Output:

• Remote WMI Execution
  Attackers may use WMI to execute commands or scripts remotely.

Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational | Where-Object { $_.Id -eq 5858 -or $_.Id -eq 5860 }

• Suspicious WMI Processes
  Monitor for unusual processes being spawned through WMI.

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4688 -and $_.Message -like "*wmiprvse.exe*" }

• WMI Class and Namespace Modifications
  Attackers may modify or create new WMI classes and namespaces.

Get-WmiObject -Namespace "root" -Class __Namespace
Get-WmiObject -Namespace "root\default" -Class __Class

• WMI Provider Host Activity
  Monitor the WMI provider host (wmiprvse.exe) for unusual activity.

Get-Process -Name wmiprvse | Select-Object -Property Id, ProcessName, CPU, StartTime

• WMI Filter Queries
  Look for unusual or complex WMI filter queries that may indicate malicious intent.

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query

• WMI Consumer Scripts
  Identify suspicious scripts being executed by WMI consumers.

Get-WmiObject -Namespace "root\subscription" -Class CommandLineEventConsumer | Select-Object Name, CommandLineTemplate

When monitoring for WMI based attacks, several event IDs in Windows Event Logs can provide useful insights and indicators. Here are some event IDs commonly associated with WMI-based attacks:

Event ID 19: This event indicates a WMI service operation failure, which could be a sign of attempted exploitation or manipulation.
Event ID 20: Similar to Event ID 19, this event also signifies a WMI service operation failure, potentially indicating unauthorized access attempts or configurations.
Event ID 5861: This event logs WMI query execution failures, which may occur due to unauthorized or malicious queries.
Event ID 5862: This event indicates WMI filter activity, such as the creation or modification of filters, which could be indicative of attempts to manipulate WMI behavior.
Event ID 5857: This event indicates that a file failed a policy enforcement check.
Event ID 5858: Logs changes to WMI filters, which can help detect unauthorized modifications that might lead to malicious activities.
Event ID 4688: This event logs process creation, which can include instances where a malicious process attempts to abuse WMI for execution

Happy Hunting !!