Basic Offensive Application of MOF Files in WMI Scripting

so this is basic offensive applications of moth files in wmy scripting uh i am sam ruthenberg this is devon bordenero and connor gephardt we're all students at towson university represent i see a little row uh and we're all uh devin and i are seniors uh connor's a sophomore we're all comps i major studying cyber security and we kind of did this project a little side thing be more familiar with like some newer applications of windows and try to test out some new offensive applications of a really powerful tool called wmi which we hope to like kind of introduce you guys to and see if you guys can come up with your own mod files to

hack your friends so but first like what is the windows management instrumentation or wmi you all have it in your windows computers at home it's how a lot of the windows operating system is going to be working in the background one of the most common applications of something like this and most of you probably seen is when your battery gets kind of low like 15 you see a little pop-up show up that's kind of like what wmi is doing it's monitoring the window system in the background and it's going to check things like hardware so like what process like how what cpu usage what's my battery percentage software so like what processes are running how i should handle those processes

running how i should handle like hardware changes in the state so it's really just windows monitoring itself and being able to respond to certain events happening on the computer so and then so like what is the wmi database it's real it's really intuitive and great as you can see the little photo that is the wmi database really great to view you can really understand what's going on there right like right no you can't it's five files you can't open with anything like pre-installed on windows like you need outside software not installed to just view anything going on so as a normal user or even as a advanced user it's very hard to understand and know what wmi objects are saved in

your operating system so but like what is in that database there are name spaces and sub name spaces so we use a lot of the ones in the root so it's the root name space and then underneath that we're in the cmv2 sub name space and then inside of that there are classes so we have like event filters and consumers these are going to be like kind of like your function calls in a normal program so you're going to be able to use these functions in a namespace to like create new events that you can use to personalize your computer or in our case do some malicious activity all right so obviously it's not the most

intuitive of programs that windows has ever created so to interact with it there's a couple different ways one of them is through the wmic command from the command line you can specify stuff like in this example we have our namespace is root slash subscription we're looking for things event filters where their names are start filter process and we're trying to delete that namespace so this would remove an object from the database you could add you can list all the ones that are in a certain name space you can really do whatever you want with these commands but they're kind of clunky so a better way to do it would be with a mob file or managed object format file

so it's a file specifically made to interact with the wmi database you just it's basically a text file form of the wmic command but a little better it's more programming oriented so it's easier to use i'd say you can also insert different scripts in it such written in languages like c c sharp java python et cetera so you store these files wherever you want the system use the command moff comp to compile them but like there's a big distinction here that like mob files don't run like normal programs they just kind of like they add stuff to the database whenever it's run and then the database handles anything that happens when those objects are needed so like these files

just kind of exist but they don't need to run anything they're not a process that's running after they're compiled so in these files you have events or consumers which devin's about to tell you about right now [Music] so uh you have events and events you know you kind of heard them before it's gonna be anything that happens on the system pretty much so you have tons of events it could be things like the user runs a process or the user logs in or a file gets accessed uh or the user bob fails to log in because it gets his password wrong uh your battery hits 15 like we said so there's a lot of events and

these event filters are going to keep track of that and kind of log when it happens and when it does happen uh we have things called consumers that will uh tell it what to do right here we have an example of an event filter that we used this is just a pretty basic one it's going to check the process start trace for any process named uh or that contains proc x so sysinternals process explorer what we're using here um yeah and here's the the consumer so the consumer is going to be how the system responds to that event so when the event happens it's going to say all right do this so this is one that we use this is just

saying when uh proc x is run kill it we used a command line template there's active script template there's log templates there's a lot of different templates for various usages but we used a command line shell so uh that is what we used the the part that ties it all together is going to be a filter to consumer binding and this is just to tie the event to the consumer so that it knows when this event occurs do this you can have multiple consumers for one event so when one event occurs you could do many many different uh consumers but onto some more fun stuff we have a demo to show you kind of how

you can use these these tools for you know useful things but also malicious things as well so let's get into it i'm going to put this here all right so we talked about how wmic is the command line tool to use the database and kind of view it and edit it but it's not very intuitive you know you have to know a lot of command line and you have to be it's kind of a little clunky so they have a gui based application called wmi explorer and it's used to administer the database as you can see you have your namespaces that we talked about and then you have your sub namespaces and then you have your classes that we

talked about instances and then the content of that instance it's still not very user friendly you have to know what you're looking for if you want to use this it's kind of like registry you don't want to want to pick around in here you might break some stuff also it's not installed by default on windows so again if you don't have this it's uh not very useful for you so one of the uses we talked about um would be logging that'd be the the biggest use people would use it for so a user opens a file you want to log that you want to see when someone's opening a file so one of the examples we had which i'm

going to show you really fast uh this uh is a pretty basic mod file it's kind of long but it's a little clunky so this is basically saying uh actually i'm gonna go down here to the event filter this is the event filter almost exact same as one we had in the slides except this one's using powershell so when powershell is run it's going to log that and then the consumer is saying up here again it's a little long but the consumer is saying when powershell is run do this so this is making a file called log process and it's going to write to that file saying powershell was started at this time it has this process id

and this is the parent process id and then it also does the exact same thing when it stops so you know when the user is starting the process ending the process so you want to know maybe your employee is using powershell they shouldn't be using it you want to know when they used it when they stopped what they did we didn't track it by username but you could do that so just to show how that's working i'm going to go ahead and compile that all right so that's been compiled when i go ahead and open up powershell so you're going to see it's running now a little log process text file was created and it's going to say when the process

was started with the id and the parent id now if i go ahead and i close it i'm going to also have to close this because notepad that's going to say when it was stopped and parent pid is zero because the process is dead there is no parent but uh so this is kind of just how you would uh using a non-malicious sense to log and see what's going on in the system but we also have some more uh malicious uh ways you can use it and sam's gonna talk about that so how many of you guys have been in the scenario you're hacking your friend and you use privilege escalation and you get system and then you're like you know

what this guy keeps killing my system shell and i don't like that i don't want to keep killing my shells it happens to me too everyone but don't worry there's a way to solve it it's it's a problem that plagues a nation so so i will open up this one so this was just called p-test and this is a very simple mop file as well so it's just two parts because you want the shell to start when the user logs on because you know when your friends log on you always want to have system on all the time so whenever they're going to log on it will then the event the event filter is going

to check the process stop there it's going to check the instant creation event of a 132 log on session so when that instance happens it will then trigger the consumer that's going to then call your shell program that you just hid somewhere in the file system and because it's windows they're never going to find that in the file system you just bury that thing deep because it's wmi even if you hide it somewhere running a system wmi will always be systems so any process that wm is going to call will have system level privileges which we can show so if we just mop

and spell it right that will then store it as well and because these mod files aren't a process you know they're part of the operating system itself when the computer restarts or isn't turned on for a week the process will always be running because it's not really a process it's more part of the operating system at this point so you know they're not going to see a process that's calling back that's going to like start the shell up when it's logged on it's not going to be showing up and they're like programs aren't start file because it's not a process it's more of the operating system itself that's doing these things so now when i log off my little friendly

shell program is going to be called and then on the command control module on the cali system you're going to now have a shell that's calling out to you and you can just restart your handler and you'll be able to get right in

they have to be able to log in first that's key

so now after i logged in you'll see a friendly little program called free ram running i'll give you and it's not actually free ram running right there and now as you see if i try to kill this process tree i can't i don't have access that's higher privilege than i am right now because it's just running a system because wmi called that process so then on a cali system i know see if i can do that these passwords are the same

all i have to do is i'm going to restart my handler it's then going to connect to that i now have an i now have a shell so in sessions there you go i am the authority system i can now go into this on a reverse on a reverse tcp an interpreter i can do whatever i want i run this system at this point so it's just a new way that you can really set persistence on a system in an inventive way that a user might not be looking for because it's not going to be a normal process in process start and even more fun if they just you know be admin in case your user gets smart and they realize

that free ram might not actually be free ram somehow we don't know how and they kill the process it just comes right back so this kind of persistence will just always be there there's gonna be two on and as a normal user unless you go in them off and you like remove that file or you find the file that's giving that persistence you're not gonna be able to remove this off the system so it's a new way you can get persistence on all your friends so when they log in you can be system and just do whatever you want and connor will show you our true goal okay so yeah like you can hack your

friends and get persistence whatever but like i really just want to like make the make make fun of them you know be like ha hacked you leap skills um so when we were first assigned let not resign but like when we first started this a professor asked us he was like hey you guys should figure out a way so that whenever process explorer is run it immediately quits and then it puts up a picture of the marshmallow man from ghostbusters and it says there is no process explorer only zuul and we were like yo that sounds awesome i would love to do that to my friends um but it turns out it's very very difficult to be overt

using the wmi database because as sam said it all runs a system so we'd start the process with the the picture popping up and it would be like in the background because it's running a system the user would never see it so we were like well this is kind of dumb like i mean sure it works but you can't see it it's not cool so we came up with a better solution which i will demonstrate currently and it's a surprise so two moments for me to compile this file

so we have this wonderful fun death dot moth file um so now i'm going to just try and run process explorer because i want to see what processes are running oh no it immediately died [Music] what that's not supposed my bad

nothing ever works the first time i guess

that's a bummer

so it turns out that the hdmi cord is accepting the volume but there is no speaker attached to this projector so we can demonstrate the the meme we could unplug this by unplugging the hdmi and you won't be able to see it but you've seen it kills process explorer and then after it

thing because it says system the user's like please make this noise stop it's running two instances help i'm gonna shut it down it just keeps going and going until the pro like until the computer is completely shut off the user's like oh no help and this again will still be there if they try and run process explorer when they turn it back on tough luck you get more rick astley never going to give you up we had a great time doing this project it was a lot of fun a lot of hard coding you know many issues as you can see but it was really a great learning experience and i'm really happy that we

did it and now you all know how to meme your friends with never gonna give you up all the time thank you very much

any questions yeah yeah yes