Lateral Movement via WMI Event Subscription
Last updated
Last updated
This is a quick lab to familiariaze with a lateral movement technique using WMI events, as described in @domchell aricle I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription - go check it out for more details, including detection ideas.
See my other lab related to persistence using WMI events:
The below C# code for WMI events based lateral movement does a couple of things:
Once connect
method is called, a couple of connections from the attacking machine (top right) are initiated to the target machine 192.168.56.105
(bottom right) over port TCP 135 (traffic receiver is svchost.exe as it's hosting the RPC service through which we are communicating):
After the code has executed, it will have created the WMI event filters, consumers and bind them on the target host 192.168.56.105
.
On the target host, we can check if the said filters and consumers were created like so:
Below shows output of the evilSpotlessFilter
WMI filter we created on the target system:
Below shows the WMI events based lateral movement technique in action:
On the left, we compile and run the code that creates WMI event filters, consumers and binds them together
In the top right corner - ther is a ProcMon that is set to capture when a new mspaint.exe
process starts. In our case, it should start once there is a new logon session created on the system (remember, because of the evilSpotlessFilter
)
In the bottom right corner there is a powershell console initiating a new logon session with runas.exe
. Once the authentication succeeds, a new logon session is created, cmd.exe is spawned and the WMI event filter evilSpotlessFilter
is triggered and WMI event consumer evilSpotlessConsumer
kicks off the mspaint.exe
:
Line
Action
29 - 33
Connects to the remote endpoint 192.168.56.105
using local admin credentials spotless:123456
33 - 46
Creates a new WMI filter evilSpotlessFilter
on 192.168.56.105
.
It will get triggered when a new logon session is created on 192.168.56.105
49 - 52
Creates a WMI consumer evilSpotlessConsumer
on 192.168.56.105
.
This consumer executes mspaint.exe
on 192.168.56.105
, when the filter evilSpotlessFilter
is triggered (upon new logon session creation)
55 - 58
WMI filter evilSpotlessFilter
and WMI consumer evilSpotlessConsumer
are bound. In layman's terms, the system 192.168.56.105
is instructed to DEFINITELY fire mspaint.exe
on each new logon session that is created on the system.