• Quick Background• Malicious Possibilities• Real-World Examples• Detection & Defense

• Joe Slowik, Adversary Hunter• Current: Dragos Adversary Hunter• Previous:

• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out

• Scripting and interactive language• Introduced in 2006, integral to Win7+

since 2009• Full access to COM & WMI for system

administration

• WMI = Windows Management Instrumentation

• Interactive and scriptable framework for local and remote administration

• Frequently accessed via PowerShell

http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png

http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png

http://www.opentechguides.com/how-to/article/powershell/132/get-system-info-remotely.html

https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png

http://www.freeiconspng.com/img/17209

• PowerShell is a powerful, useful tool for network administration

• Widely used in Windows Enterprise environments

• WMI enables significant access to review and modify system data

• Access via PowerShell allows for scripting and automated possibilities

• PowerShell’s ubiquity adds a significant capability to potential attacker

• Enhances ability to ‘live off the land’• Expands initial infection vectors

Command Use

-EncodedCommand Accepts Base64-encoded input for execution within PowerShell

(New-Object System.New.Webclient).DownloadFile()

Download a file from a remote location; can be piped to Start-Process to execute

-ExecutionPolicy Bypass Circumvent system limits on script execution

-WindowStyle Hidden Hide the command window from the user

-Invoke-Expression Execute arbitrary code or commands

DeliveryVectors

VBA

VBS

BAT

JS

Registry

Startup.lnk

https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg

• WMI is also ubiquitous, potent ‘dual-use’• Can enable:• Complex exploitation, persistence of

infected host• New vectors to pivot within network

• PsExec-like remote execution• Malicious file/script storage• Persistence when combined with file or

registry activity

• Pentesting frameworks• Crimeware/Commodity malware• APT

• Malicious VBA decodes to PowerShell• Retrieves, then executes ransomware

payload

• WMI filter retrieved on schedule• Returns base64-encoded PowerShell• PowerShell re-launches backdoor

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png

CMD•Command

execution

•Execution Parameters

PowerShell• Interactive and

Scripts

• Flags, Modifiers, full Visibility

WMI• Log Events

• Correlate with Other Activity

What is required to

achieve ‘bad’?

Process Execution

PersistenceEncodeDecode

DownloadUpload

• Sysinternals Sysmon• Windows Loggging Service (WLS)• WMI Logging via WMI Subscription• PowerShell Logging• Proprietary Host-based Security

• WLS incorporates PowerShell logging natively• Otherwise:

• Windows 7+• Powershell 5.0+• Enable logging!

• See: • https://www.fireeye.com/blog/threat-

research/2016/02/greater_visibilityt.html

• Sysinternals Sysmon – latest version includes WMI visibility• But logging/alerting will need to be

tuned• DIY via WMI Subscription creation• Otherwise – commercial products

Establish Visibility

Baseline ‘Normal’

Identify Malicious

Create Alerts & Alarms

Develop Response

• What PowerShell/WMI scripts are used in ‘normal’ network administration?

• What commands never have legitimate use?

• What – if any – items require whitelisting?

wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”

SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”

$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,

[String]::Empty,$null)

$BADTHING[‘__CLASS’]=’Evil_Malware’

$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]

::String,$False)

$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD

$EvilClass.Put()

• Create Event Consumer: performs action when triggered by event

• Pair with Event Filter: events of interest• Filter to Consumer Binding: bind filter to

consumer• Export results to log file, data store• Credit: https://www.fireeye.com/blog/threat-

research/2016/08/wmi_vs_wmi_monitor.html