Persistent Asynchronous and Fileless Backdoor

More documents

Recommendations

Info

Fact - Attackers are abusing WMI1. You may not be aware of this fact.2. You may not know WMI is.3. You may not know how to prevent anddetect such attacks.4. You may only be aware of its maliciouscapabilities as described in public reports.
Page 3[5] The CRO provided for calculation of the father’s income based on how hewas paid, how child support was to be paid and provisions for an accounting ineach year to ensure that the father paid child support on his actual annual income.Overpayments and underpayments of child support were dealt with in the CRO.There is a provision for annual disclosure of income tax information.[6] The CRO provided that the father pay spousal support to the mother.[7] For extracurricular expenses the parties agreed to equally share thoseexpenses which were agreed upon. Certain expenses were to be paid 100% by themother and others, including dance, were to be paid for 100% by the father. Theparties agreed to proportionately share other s. 7 expenses that were agreed to byboth parents.[8] The father agreed to maintain the children on his health insurance.[9] In March 2012 the CRO was varied, by consent, to terminate spousalsupport and to cap the father’s obligation for dance expenses to $10,000 per year.[10] In 2013, the father’s firm received a class action settlement which resulted ina payment to him or the corporation of $223,298. He did not pay any of thisamount to the mother for child support.
Page 8: Outline1. Abridged History of WMI M
Page 11 and 12: 2010 - Ghost• Utilized permanent
Page 13 and 14: WMI Basics
Page 15 and 16: WMI Basics - Architecture• WMI im
Page 18 and 19: Interacting with WMI
Page 20 and 21: Utilities - wmic.exe• Pentesters
Page 22 and 23: Utilities - wbemtest.exe• The WMI
Page 24 and 25: Utilities• Linux - wmic, wmis, wm
Page 26 and 27: Remote WMI Protocols - DCOM• DCOM
Page 28 and 29: Remote WMI Protocols - WinRM/PowerS
Page 30 and 31: Remote WMI Protocols - WinRM/PowerS
Page 32 and 33: WMI Eventing
Page 34 and 35: WMI Event Type - Intrinsic• Intri
Page 36 and 37: WMI Event - Filters• The definiti
Page 38 and 39: WMI Attacks
Page 40 and 41: WMI - Benefits to an Attacker• Se
Page 42 and 43: WMI Attacks - VM/Sandbox Detection
Page 44 and 45: WMI Attacks - Code Execution and La
Page 46 and 47: WMI Attacks - Data Storage$StaticCl
Page 48 and 49: WMI Attacks - C2 Communication (WMI
Page 50 and 51: WMI Attacks - C2 Communication (Reg
Page 52 and 53:
WMI Attacks - Stealthy Command “P
Page 54 and 55:
WMI Providers
Page 56 and 57:
3 rd Party WMI Providers• Some 3
Page 58 and 59:
WMI Provider Enumeration• Get-Wmi
Page 60 and 61:
PoC WMI Backdoor Background• A pu
Page 62 and 63:
PoC WMI Backdoor Syntax - New-WMIBa
Page 64 and 65:
PoC WMI Backdoor - Examples$Trigger
Page 66 and 67:
Attacker Detection with WMI• Pers
Page 68 and 69:
Attacker Detection with WMIWMI is t
Page 70 and 71:
Mitigations
Page 72 and 73:
Thank you!• Valuable input on use
show all

Persistent Asynchronous and Fileless Backdoor

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?