Proof of concept WMI virus (zero-day)

Ah, good to know that there&#x27;s people still making a complete mockery of windows even now.<p>Do note that VBS mitigates a majority of &#x27;buffer overflow&#x27; exploits and Microsoft has historically shown to brush off these vulnerabilities so that 100k bounty is pretty far fetched.<p>Any WMI operation does touch the disk (because it&#x27;s a database), but similar to any kind of other database they&#x27;re mixed with writes that happen in a normal environment and are not really possible to tell between malicious applications.<p>WMI requires administrator privileges to write so the privilege escalation is not that interesting except in limited environments (and Microsoft has also shown in the past that they don&#x27;t care about these), which is fair considering you can&#x27;t call &#x27;sudo&#x27; a security vulnerability.

From a Reddit comment [1]: “the repo contains two novel and different ways to run any process as the SYSTEM user. It also disables every antivirus through a novel process privilege deescalation exploit”<p>[1] <a href="https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;ReverseEngineering&#x2F;comments&#x2F;1icgfua&#x2F;got_bored_reversed_the_wmi_made_a_novel_virus&#x2F;" rel="nofollow">https:&#x2F;&#x2F;old.reddit.com&#x2F;r&#x2F;ReverseEngineering&#x2F;comments&#x2F;1icgfua...</a>

Quoting the README: &quot;The WMI is an extension of the Windows Driver Model. It&#x27;s a CIM interface that provides all kinds of information about the system hardware, and provides for a lot of the core functionality in Windows. For example, when you create a startup registry key for an an application, that&#x27;s really acting on the WMI at boot.&quot;

Persistence inside the WMI database is fun. There was a good talk about this at DerbyCon[0] years ago. I think it has gotten more press since several APT groups were using it but it still isn&#x27;t a well-known persistence mechanism.<p>[0] <a href="https:&#x2F;&#x2F;www.irongeek.com&#x2F;i.php?page=videos&#x2F;derbycon5&#x2F;break-me12-whymi-so-sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-matt-graeber-willi-ballenthin-claudiu-teodorescu" rel="nofollow">https:&#x2F;&#x2F;www.irongeek.com&#x2F;i.php?page=videos&#x2F;derbycon5&#x2F;break-m...</a>

The real value in this: a new way to more easily disable Windows Defender on Windows 11.

The fact that so many critical infrastructure systems still depend on Windows is absurd (I say from my Windows machine). Great find! Thank you for sharing.

So where is the data actually stored if it &quot;never touches the disk&quot;? Is it some UEFI or BIOS thing?

I wonder why this person didn’t submit this to Microsoft for a billion dollars.