T1546.003SubTechniqueprivilege-escalationpersistenceagent-callable
T1546.003Windows Management Instrumentation Event Subscription
Sub-technique of T1546
Platforms: Windows
ATT&CK version: 14.1
What it is
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
ATT&CK tactics· 2
References
- https://attack.mitre.org/techniques/T1546/003
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- https://www.secureworks.com/blog/wmi-persistence
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
- https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
- https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1
- https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1
- https://technet.microsoft.com/en-us/sysinternals/bb963902
- https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-