WMI Commands

• Get-WmiObject -class Win32_Product
  • Gets a listing of all the installed software on a machine.
• Get-WmiObject - class Win32_Account
  • Gets a listing of all the user accounts
• Get-WmiObject - class Win32_BIOS
  
  • Many times used by malware to determine if the host is a virtual machine or not.
• Set up a remote windows command
  • $command =  "ipconfig /all >> c:\users\all users\desktop\results.txt"
  • $cmd = "cmd.exe /c $command"
  • Invoke-Method -class Win32_Process -name Create -ArgumentList $cmd -ComputerName \\Desktopname\
• wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
• uses WMIC to add a user on a remote machine

Powershell Fun

•  Link Ref
  
• Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList cmd.exe 
• Invoke-CimMethod -ClassName Win32_Process -MethodName create -Arguments @{commandline="notepad.exe"}
  

 

One Attack Example

1. From a powershell command prompt, attacker launches WMIC with the intent of creating a process on the remote machine and adding a user to that remote machine.
   1. wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
2. On the remote machine wmiprvse.exe gets the call and will run the commands. To find this attack in Carbon Black, check out this search:
   1. process_name:cmd.exe AND parent_name:wmiprvse.exe AND childproc_name:net.exe cmdline:user
   2. Event IDs on the remote machine are:
      1. 4720; 4722; 4738; 4732