Persistent Asynchronous and Fileless Backdoor

More documents

Recommendations

Info

WMI – Benefits to an Attacker• Service enabled <strong>and</strong> remotely available on all Windowssystems by default• Runs as SYSTEM• Relatively esoteric persistence mechanism• Other than insertion into the WMI repository, nothingtouches disk• Defenders are generally unaware of WMI as an attack vector• Uses an existing, non-suspicious protocol• Nearly everything on the operating system is capable oftriggering a WMI event
WMI Attacks – Reconnaissance• Host/OS information: ROOT\CIMV2:Win32_OperatingSystem,Win32_ComputerSystem, ROOT\CIMV2:Win32_BIOS• File/directory listing: ROOT\CIMV2:CIM_DataFile• Disk volume listing: ROOT\CIMV2:Win32_Volume• Registry operations: ROOT\DEFAULT:StdRegProv• Running processes: ROOT\CIMV2:Win32_Process• Service listing: ROOT\CIMV2:Win32_Service• Event log: ROOT\CIMV2:Win32_NtLogEvent• Logged on accounts: ROOT\CIMV2:Win32_LoggedOnUser• Mounted shares: ROOT\CIMV2:Win32_Share• Installed patches: ROOT\CIMV2:Win32_QuickFixEngineering• Installed AV: ROOT\SecurityCenter[2]:AntiVirusProduct
Page 4 and 5: Fact - Attackers are abusing WMI1.
Page 8: Outline1. Abridged History of WMI M
Page 11 and 12: 2010 - Ghost• Utilized permanent
Page 13 and 14: WMI Basics
Page 15 and 16: WMI Basics - Architecture• WMI im
Page 18 and 19: Interacting with WMI
Page 20 and 21: Utilities - wmic.exe• Pentesters
Page 22 and 23: Utilities - wbemtest.exe• The WMI
Page 24 and 25: Utilities• Linux - wmic, wmis, wm
Page 26 and 27: Remote WMI Protocols - DCOM• DCOM
Page 28 and 29: Remote WMI Protocols - WinRM/PowerS
Page 30 and 31: Remote WMI Protocols - WinRM/PowerS
Page 32 and 33: WMI Eventing
Page 34 and 35: WMI Event Type - Intrinsic• Intri
Page 36 and 37: WMI Event - Filters• The definiti
Page 38 and 39: WMI Attacks
Page 42 and 43: WMI Attacks - VM/Sandbox Detection
Page 44 and 45: WMI Attacks - Code Execution and La
Page 46 and 47: WMI Attacks - Data Storage$StaticCl
Page 48 and 49: WMI Attacks - C2 Communication (WMI
Page 50 and 51: WMI Attacks - C2 Communication (Reg
Page 52 and 53: WMI Attacks - Stealthy Command “P
Page 54 and 55: WMI Providers
Page 56 and 57: 3 rd Party WMI Providers• Some 3
Page 58 and 59: WMI Provider Enumeration• Get-Wmi
Page 60 and 61: PoC WMI Backdoor Background• A pu
Page 62 and 63: PoC WMI Backdoor Syntax - New-WMIBa
Page 64 and 65: PoC WMI Backdoor - Examples$Trigger
Page 66 and 67: Attacker Detection with WMI• Pers
Page 68 and 69: Attacker Detection with WMIWMI is t
Page 70 and 71: Mitigations
Page 72 and 73: Thank you!• Valuable input on use

Persistent Asynchronous and Fileless Backdoor

Create successful ePaper yourself

Delete template?

Save as template?