First of all, I would like to thank all of those who liked and retweeted the previous article from this series, BITS Jobs (T1197). I’m planning to continue working on this series and publish a post a week. This week I’m going to write about a persistence mechanism that became quite popular recently – WMI Event Subscription (T1084).
I think everybody at least heard about WMI or Windows Management Instrumentation. It’s used by malware and attackers quite often, for example, to gather information about the host. But, of course, that’s not all. It can also be used for execution (T1047), including remote, and thanks to Event Subscription feature – persistence (T1084).
So, what is WMI Event Subscription? It’s a mechanism that allow to permanently bind a specific action to a Windows event.
Such subscriptions consist of three elements:
- Event filter – a Windows event that will trigger an action
- Event consumer – specific action that will be triggered
- Filter to consimer binding – a mechanism, which binds event filter and event consumer, a Windows event to specific action.
Personally, I’ve seen this type of persistence mechanism “in-the-wild” during incident response to WannaMine infection. Of course, it’s not the only example. APT29’s POSHSPY backdoor used this technique as well to execute its PowerShell component every Monday, Tuesday, Thursday, Friday, and Saturday at 11:33 am local time. Another interesting examples are available at MITRE ATT&CK website.
But let’s get back to forensics, host-based forensics to be exact. Is information about such subscriptions stored somewhere? And the answer, of course, is yes!
There is a file called OBJECTS.DATA, which can be found under:
This file contains Common Information Model (CIM) repository where managed resource definitions are stored. But how we can find something useful? If you are brave enough, you can use strings, for example, “EventConsumer”:
Of course, there tools that can make your forensic life easier, for example, wmi-parser by Mark Woan:
If you prefer push-button forensics approach, there is an option for you too. For example, Belkasoft Evidence Center supports extracting data from OBJECTS.DATA as well:
As you can see, you can find evidence of WMI Event Subscription technique even during most-mortem host-based analysis. If you have techniques in mind you want to be covered next – ping me on Twitter!