Windows Management instrumentation – A Front Door for malwares
Santhosh Kumar
Whoami
• Love to Break things apart. • Hobby Hacker.• Spoke at Various conferences including
DEFCON las Vegas, OWASP Appsec USA 2014, Bsides Las Vegas.
• Second time here.
Outline
• WM … What? • WMI malwares Timeline.• WMI Architecture• WQL• WMI providers.• WMI Eventing• Demo• Defenses
WM…what?
• System Management both remote and locally.• Deployed way back in NT4 and Windows 98/95.• Used to access registry,File System,network etc.• Eventing,Remoting and Remote Code execution • Endless possibilities.• Various tools support.• Own Query language.
Why Should i care?
WMI malware Timeline
• MS10-061 – Windows printer spooler • Attackers Dropped a MOF file to gain RCE.• Microsoft patched it in KB2347290 Update
http://poppopret.blogspot.in/2011/09/playing-with-mof-files-on-windows-for.html
Hammertoss APT (2015)
• Heavy reliance upon WMI and PowerShell ƒ
• Custom WMI class creation ƒ • WMI repository used to store payloads of
arbitrary size ĥ Results of commands added to WMI
object properties • https://www2.fireeye.com/rs/848-DID-242/i
mages/rpt-apt29-hammertoss.pdf
Syndicasec (2013-2015)
• 2 stage infection. • creates a TimerInstruction to raise a
custom event• Eventfilter is created to link to the
timerinstruction and EvilProviders• Everytime it is linked the consumer is
executed leaving to RCEhttp://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/
WMI architecture
• https://msdn.microsoft.com/en-us/library/aa394553(v=vs.85).aspx
Interaction with WMI
Interaction with wmi
Interaction with wmi
winrm
Interaction with wmi
• .net• Vbscript• Jscript• C/C++ via IWbem COM API • More utilities • http://passing-the-hash.blogspot.in/2013/0
4/missing-pth-tools-writeup-wmic-wmis-curl.html
WQL• Similar like SQL.Query for WMI objects,classes and
Namespaces.• Three types of query• Data Query• Event Query• Schema Query• Useful for RECON• https://msdn.microsoft.com/en-us/library/aa392902(v=vs.
85).aspx
WMI Recon
• Find installed Antivirus
WMI recon
• Find the Security Updates installed on the system
• Find if it is a VM
WMI providers
• Form the core working of WMI• Contains a DLL & MOF file for each
provider• Have the own listing of GUID for each
provider• %windir%\System32\Wbem• Sometimes there can be a custom wmi
providers
Malicous WMI providers• EvilWMIProvider by Casey Smith (@subTee) –
https://github.com/subTee/EvilWMIProvider • Invoke-WmiMethod -Class Win32_Evil -Name
ExecShellcode -ArgumentList @(0x90, 0x90, 0x90), $null
• EvilNetConnectionWMIProvider by Jared Atkinson (@jaredcatkinson) – https://github.com/jaredcatkinson/EvilNetConnectionWMI
• Invoke-WmiMethod -Class Win32_NetworkConnection - Name RunPs -ArgumentList 'whoami' , $null – Get-WmiObject -Class Win32_NetworkConnection
WMI eventing• Wmi can be used to monitor any type of Operating
system events.• Classified as two types• Intrinsic events• Extrinsic events• 3 requirement to define a event filter• Filter,consumer and binding• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-wmi-e
vents-and-powershell.aspx
Intrinsic Events
• Intrinsic events are system classes included in every namespace
• Monitor any changes to the class or namespace
• Should be executed within the polling interval
• https://technet.microsoft.com/en-us/library/ee156572.aspx
Extrinsic Events
• Use to monitor resources which is not included in CIM repository
ROOT\CIMV2:Win32_ComputerShutdownEvent ROOT\CIMV2:Win32_IP4RouteTableEvent ROOT\CIMV2:Win32_ProcessStartTrace ROOT\CIMV2:Win32_ModuleLoadTrace ROOT\CIMV2:Win32_ThreadStartTrace ROOT\CIMV2:Win32_VolumeChangeEvent ROOT\CIMV2:Msft_WmiProvider* ROOT\DEFAULT:RegistryKeyChangeEvent ROOT\DEFAULT:RegistryValueChangeEvent
Event Filter• Define which event to trigger• WMI query • Intrinsic Query • SELECT * FROM __InstanceOperationEvent WITHIN 30
WHERE ((__CLASS = "__InstanceCreationEvent" OR __CLASS = "__InstanceModificationEvent") AND TargetInstance ISA "CIM_DataFile") AND (TargetInstance.Extension = "doc") OR (TargetInstance.Extension = "docx")
• Extrinsic Query • SELECT * FROM Win32_VolumeChangeEvent WHERE
EventType = 2
Event Consumer
• Define what to do when event is called.• These are the standard event consumers:
LogFileEventConsumer ActiveScriptEventConsumer NTEventLogEventConsumer SMTPEventConsumer CommandLineEventConsumer
WMIGHOST apt• Targeting indian Users mainly military, energy and government
policy.• Infection via spear phishing attempt• Drops a unclassified government file like this
WMIGHOST (2014-2015)
• India US strategic dialouge press release.doc” (000150415302D7898F56D89C610DE4A9).
• Then drops if successful dw20.exe and gupdate.exe
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost
Password:infected
ShadowNet APT• This was detected this year during the tibetian uprising
day.• Group modified the toolchain to add WMI script for
gathering information and exfiltration.• Multi Layer C&C server and identifies victim using
encoded strings
Registrant Name: Kasong Dolma Registrant Street: New York Registrant City:New York Registrant State/Province:guangdong Registrant Postal Code:10001 Registrant Country:CN Registrant Phone:+1.9175608889 Registrant Email: [email protected]
WMI OFFENSIVE TOOLS
DEMO
• Acts like a Shell using WMI as C&C.• Uses Namespaces for Storing the data.• Uses Base64 encoding to store the data in
the namespace to avoid firewall and endpoints
• Decodes Base64 data on attacker machine
Defenses
• Don’t enable WMI Remoting? • More strict Firewall Rules• permanent WMI event subscriptions • Custom Event logs.
Books
References• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__und
erstanding-wmi-malware.pdf• http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/• https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf• http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf• https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx• https://msdn.microsoft.com/en-us/library/bg126473(v=vs.85).aspx• https://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-
wmi-events-and-powershell.aspx• http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-Subscriptions-
Using-M• http://ytisf.github.io/theZoo/• https://dl.mandiant.com/EE/library/MIRcon2014/
MIRcon_2014_IR_Track_There's_Something_About_WMI.pdf•