Persistent Asynchronous and Fileless Backdoor

More documents

Recommendations

Info

Outline1. Abridged History of WMI Malware2. WMI Architecture3. WMI Interaction4. WMI Query Language (WQL)5. WMI Eventing6. Remote WMI7. WMI Attacks8. Providers9. PoC WMI backdoor10.Detection <strong>and</strong> Mitigations
Page 4 and 5: Fact - Attackers are abusing WMI1.
Page 10 and 11: 2010 - Stuxnet• Exploited MS10-06
Page 12 and 13: 2014 - WMI Shell (Andrei Dumitrescu
Page 14 and 15: WMI Basics - Introduction• Window
Page 16: WMI Basics - Architecture• Persis
Page 19 and 20: Utilities - PowerShell“Blue is th
Page 21 and 22: Utilities - Sapien WMI Explorer•
Page 23 and 24: Utilities - winrm.exe• Not a well
Page 25 and 26: Remote WMI
Page 27 and 28: Remote WMI Protocols - DCOM
Page 29 and 30: Remote WMI Protocols - WinRM/PowerS
Page 31 and 32: Remote WMI Protocols - DCOM• DCOM
Page 33 and 34: WMI Eventing• WMI has the ability
Page 35 and 36: WMI Event Type - Extrinsic• Extri
Page 37 and 38: WMI Event - Consumers• The action
Page 39 and 40: WMI Attacks• From an attackers pe
Page 41 and 42: WMI Attacks - Reconnaissance• Hos
Page 43 and 44: WMI Attacks - VM/Sandbox Detection
Page 45 and 46: WMI Attacks - PersistenceSEADADDY (
Page 47 and 48: WMI Attacks - C2 Communication• W
Page 49 and 50: WMI Attacks - C2 Communication (WMI
Page 51 and 52: WMI Attacks - C2 Communication (Reg
Page 53 and 54: WMI Attacks - MOFWhy aren’t you t
Page 55 and 56: WMI Providers• COM DLLs that form
Page 57 and 58:
Malicious WMI Providers• This was
Page 59 and 60:
PoC WMI Backdoor
Page 61 and 62:
PoC WMI Backdoor Syntax - New-WMIBa
Page 63 and 64:
PoC WMI Backdoor Syntax - Register-
Page 65 and 66:
Attack Defense andMitigations
Page 67 and 68:
Existing Detection Utilities• Sys
Page 69 and 70:
Mitigations• Stop the WMI service
Page 71 and 72:
Mitigations
Page 73:
Questions?
show all

Persistent Asynchronous and Fileless Backdoor

Create successful ePaper yourself

Delete template?

Save as template?