Persistent Asynchronous and Fileless Backdoor

Recommendations

Info

2010 - Stuxnet• Exploited MS10-061 – Windows Printer Spooler• Exploited an arbitrary file write vulnerability• WMI provided a generic means of turning a file write toSYSTEM code execution!• The attackers dropped a MOF file to gain SYSTEM-levelexecution.• Microsoft fixed this exploit primitivehttp://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
2010 - Ghost• Utilized permanent WMI event subscriptions to:• Monitor changes to “Recent” folder• Compressed <strong>and</strong> uploaded all new documents• Activates an ActiveX control that uses IE as a C2channelhttp://la.trendmicro.com/media/misc/underst<strong>and</strong>ing-wmi-malware-research-paper-en.pdf
Page 2 and 3: Abusing Windows ManagementInstrumen
Page 4 and 5: Fact - Attackers are abusing WMI1.
Page 6 and 7: Sophisticated attackers are “livi
Page 8 and 9: Outline1. Abridged History of WMI M
Page 12 and 13: 2014 - WMI Shell (Andrei Dumitrescu
Page 14 and 15: WMI Basics - Introduction• Window
Page 16: WMI Basics - Architecture• Persis
Page 19 and 20: Utilities - PowerShell“Blue is th
Page 21 and 22: Utilities - Sapien WMI Explorer•
Page 23 and 24: Utilities - winrm.exe• Not a well
Page 25 and 26: Remote WMI
Page 27 and 28: Remote WMI Protocols - DCOM
Page 29 and 30: Remote WMI Protocols - WinRM/PowerS
Page 31 and 32: Remote WMI Protocols - DCOM• DCOM
Page 33 and 34: WMI Eventing• WMI has the ability
Page 35 and 36: WMI Event Type - Extrinsic• Extri
Page 37 and 38: WMI Event - Consumers• The action
Page 39 and 40: WMI Attacks• From an attackers pe
Page 41 and 42: WMI Attacks - Reconnaissance• Hos
Page 43 and 44: WMI Attacks - VM/Sandbox Detection
Page 45 and 46: WMI Attacks - PersistenceSEADADDY (
Page 47 and 48: WMI Attacks - C2 Communication• W
Page 49 and 50: WMI Attacks - C2 Communication (WMI
Page 51 and 52: WMI Attacks - C2 Communication (Reg
Page 53 and 54: WMI Attacks - MOFWhy aren’t you t
Page 55 and 56: WMI Providers• COM DLLs that form
Page 57 and 58: Malicious WMI Providers• This was
Page 59 and 60: PoC WMI Backdoor
Page 61 and 62:
PoC WMI Backdoor Syntax - New-WMIBa
Page 63 and 64:
PoC WMI Backdoor Syntax - Register-
Page 65 and 66:
Attack Defense andMitigations
Page 67 and 68:
Existing Detection Utilities• Sys
Page 69 and 70:
Mitigations• Stop the WMI service
Page 71 and 72:
Mitigations
Page 73:
Questions?
show all

Persistent Asynchronous and Fileless Backdoor

Create successful ePaper yourself

Delete template?

Save as template?