Persistent Asynchronous and Fileless Backdoor

Recommendations

Info

WMI Attacks – Data Storage$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)$StaticClass.Name = 'Win32_EvilClass'$StaticClass.Put()$StaticClass.Properties.Add('EvilProperty' , "This is not the malwareyou're looking for")$StaticClass.Put()
WMI Attacks – C2 Communication• WMI is a fantastic C2 channel!• The following can be used to stage exfil– Namespace• WMI Shell already does it– WMI class creation• One group already kind of does it– Registry• No one I know of is doing this– Ideas? Let’s chat
Page 2 and 3: Abusing Windows ManagementInstrumen
Page 4 and 5: Fact - Attackers are abusing WMI1.
Page 6 and 7: Sophisticated attackers are “livi
Page 8 and 9: Outline1. Abridged History of WMI M
Page 10 and 11: 2010 - Stuxnet• Exploited MS10-06
Page 12 and 13: 2014 - WMI Shell (Andrei Dumitrescu
Page 14 and 15: WMI Basics - Introduction• Window
Page 16: WMI Basics - Architecture• Persis
Page 19 and 20: Utilities - PowerShell“Blue is th
Page 21 and 22: Utilities - Sapien WMI Explorer•
Page 23 and 24: Utilities - winrm.exe• Not a well
Page 25 and 26: Remote WMI
Page 27 and 28: Remote WMI Protocols - DCOM
Page 29 and 30: Remote WMI Protocols - WinRM/PowerS
Page 31 and 32: Remote WMI Protocols - DCOM• DCOM
Page 33 and 34: WMI Eventing• WMI has the ability
Page 35 and 36: WMI Event Type - Extrinsic• Extri
Page 37 and 38: WMI Event - Consumers• The action
Page 39 and 40: WMI Attacks• From an attackers pe
Page 41 and 42: WMI Attacks - Reconnaissance• Hos
Page 43 and 44: WMI Attacks - VM/Sandbox Detection
Page 45: WMI Attacks - PersistenceSEADADDY (
Page 49 and 50: WMI Attacks - C2 Communication (WMI
Page 51 and 52: WMI Attacks - C2 Communication (Reg
Page 53 and 54: WMI Attacks - MOFWhy aren’t you t
Page 55 and 56: WMI Providers• COM DLLs that form
Page 57 and 58: Malicious WMI Providers• This was
Page 59 and 60: PoC WMI Backdoor
Page 61 and 62: PoC WMI Backdoor Syntax - New-WMIBa
Page 63 and 64: PoC WMI Backdoor Syntax - Register-
Page 65 and 66: Attack Defense andMitigations
Page 67 and 68: Existing Detection Utilities• Sys
Page 69 and 70: Mitigations• Stop the WMI service
Page 71 and 72: Mitigations
Page 73: Questions?

Persistent Asynchronous and Fileless Backdoor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?