List the WMI providers in the system.
It is possible to laterally move by installing a fake provider in the system, and then calling it remotely. This artifact enumerates all WMI providers and recovers the binary that runs when loaded.
Test using https://github.com/Cybereason/Invoke-WMILM (Will run as SYSTEM)
Invoke-WMILM -Target localhost -Type Provider -Name notepad -Username test -Password test -Command notepad.exe
name: Windows.System.WMIProviders
description: |
List the WMI providers in the system.
It is possible to laterally move by installing a fake provider in the system, and then calling
it remotely. This artifact enumerates all WMI providers and recovers the binary that runs when
loaded.
Test using https://github.com/Cybereason/Invoke-WMILM (Will run as SYSTEM)
```
Invoke-WMILM -Target localhost -Type Provider -Name notepad -Username test -Password test -Command notepad.exe
```
reference:
- https://www.cybereason.com/blog/wmi-lateral-movement-win32
type: CLIENT
parameters:
- name: BinaryIncludeRegex
default: .
type: regex
- name: BinaryExcludeRegex
type: regex
- name: ServerTypeRegex
type: regex
description: Only show these WMI provider types (e.g. LocalServer)
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET Hits = SELECT CLSID, Name, {
SELECT Data.value AS Binary, basename(path=dirname(path=FullPath)) AS ServerType
FROM glob(globs="/*Server*/@", root='''HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\''' + CLSID, accessor="reg")
WHERE CLSID
limit 1
} AS Details
FROM wmi(query="Select * from __Win32Provider ")
SELECT CLSID, Name, Details.ServerType AS ServerType, Details.Binary AS BinaryPath
FROM Hits
WHERE ServerType =~ ServerTypeRegex
AND BinaryPath =~ BinaryIncludeRegex
AND if(condition=BinaryExcludeRegex,
then=NOT BinaryPath =~ BinaryExcludeRegex,
else=TRUE)