WMI Subscription Utilization Analysis Summary
- Preface
This article summarizes some WMI practices, mainly the use of WMI event subscription to do a detailed analysis, I hope it can provide some help for your learning.
2. Overview
WMI (Windows Management Instrumentation) is a core Windows management technology that allows users to manage local and remote computers through WMI. Windows provides two available protocols for remote transfer of WMI data, Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM), which enables operations such as querying WMI objects, registering events, executing WMI class methods, and creating classes to be performed remotely.
When moving laterally, hacker can take advantage of the management capabilities provided by WMI to interact with and control the execution of various actions by local or remote hosts with the acquired user credentials.
There are two common ways to exploit this.
Remote execution by calling WMI’s class methods. For example, the Create method in the Win32_Process class creates a process on the remote host, and the Install method in the Win32_Product class installs a malicious MSI on the remote host.
Remotely deploy WMI event subscriptions to trigger an attack when a specific event occurs.
The following conditions are…
