Windows 10 Endpoint Security Improvements and Living Off the Land with WMImplant

Windows 10 - Endpoint
Security Improvements and
the Implant Since Windows
2000
By: @ChrisTruncer and
@Evan_Pena2003

@ChrisTruncer
Sys Admin turned Red Teamer
Open Source Developer
Trooper
2

@Evan_Pena2003
Open Source Developer
Red Team Lead for West Coast
Former sysadmin
3

What’s this talk about?
◈ Device guard!
◈ Code integrity policies
◈ PowerShell Constrained Language mode
◈ Introduction of a way to live off the land
◈ Data Encoding
◈ C2 Data Storage
◈ Commands
4

Device Guard
◈ Defensive technology built into Windows 10
and Server 2016
◈ A change from antivirus technologies where
apps are “trusted” unless flagged as
malicious
◈ You now explicitly state which applications
are trusted
6

Device Guard
◈ New application whitelisting bypass
published?
◆Don’t trust that application anymore!
◈ Matt Graeber is curating a baseline code
integrity policy blocking offending
applications
7
https://github.com/mattifestation/DeviceGuardBypassMitigationRules

Code Integrity Policies
◈ You define trusted applications by creating
Code Integrity policies
◈ Upon creating code integrity policies, they
can be deployed via:
◆GPO
◆SCCM
8

◈ Code integrity policies are largely based on
digital signatures
◈ For unsigned applications, you can deploy
catalog files which can be tied into code
integrity policies
9

◈ Catalog files will need to be updated every
time an application is updated
◆If using digital signatures, this won’t be
a problem
◈ Code integrity policies typically are XML
files converted into a binary
10

◈ Your code integrity policies themselves
should also be signed
◆This can help prevent modification by
users/attackers with administrative rights
11

Creating Code Integrity Policies
◈ The easiest way to create code integrity
policies is through PowerShell
◈ Carlos Perez and Matt Graeber have created
walkthroughs for creating a code integrity
policy
12
https://gist.github.com/darkoperator/7d5b85354c0343c7554e
http://www.exploit-monday.com/2016/09/introduction-to-windows-device-guard.html

◈ Largely, you will use the New-CIPolicy
cmdlet and specify the file rule levels for
defining trusted applications
◆File hash
◆File name
◆Publisher
◆FilePublisher 13

◈ Convert XML code integrity policy to a
binary file
◆ConvertFrom-CIPolicy
◈ Deploy in audit mode
◆Non-blocking
◆Generates events
15

◈ After having deployed in audit mode
◆ Review event logs
◆ Make any rule modifications as needed
◆ Deploy in enforcement mode
16

PowerShell Constrained Language Mode
◈ Device Guard auto-configures PowerShell to
run in Constrained Language mode
◆Pure PowerShell elements are allowed,
but the types are limited
◆.Net methods are only allowed on the
permitted types
17

Attacker’s Perspective
◈ How can we operate on a Device Guard
protected system?
◆Develop a bypass
◇This will be effective at first, but
could potentially be blocked via CI
Policy.
◇This takes R&D 19

Attacker’s Perspective
◈ How about living off the land?
◆We know the applications most likely to
be whitelisted
◇PowerShell, WMI, etc.
◆Can they be chained together to attack
systems in a useful manner?
20

WMImplant
◈ Developed in PowerShell
◈ Designed to exclusively operate with WMI
◆The mechanism to trigger actions
◆The C2 channel itself
◆Data storage :)
◈ Menu and commands are reminiscent of
Meterpreter - except all WMI based
22

First, Thanks
◈ Thanks to the incredibly smart Matt Graeber,
Willi Ballenthin, and Claudiu Teodorescu
◈ Their research is what spurred my interest in
WMI
◈ Without their research, I may have never
developed this capability
23https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

What’s WMI?
◈ WMI == Windows Management
Instrumentation
◈ Installed and enabled by default in Windows
since Windows 2000
◈ Enables administrators to query local and
remote systems for management purposes
24

WMImplant and Device Guard
◈ WMImplant was developed exclusively
against Device Guard protected systems
◆Remember ConstrainedLanguage
Mode? - We’re great friends with it :)
25

◈ Data storage and encoding were problems in
the initial development stages.
◆We want to be able to upload or
download files, run commands, etc.
◆What if all data that we might need to
manipulate isn’t just text?
26

◈ We discovered that encoding and data
storage were problems we were going to
need to solve to write an effective post-
exploitation tool
27

WMImplant and Encoding
◈ The first method of encoding data? Base64!
◆[Convert]::ToBase64String()
◈ Only one problem...
29

Encoding - Back to the Drawing Board
◈ Base64 is out
◆We haven’t seen a pure PowerShell
based Base64 encoding/decoding
function
◈ WMImplant can be encoder agnostic,
anything that works can be used.
◆So… let’s turn to Daniel Bohannon 31

WMImplant and Encoding - [Int[]][Char[]]
◈ $encode = [Int[]][char[]]$input -Join ','
◆Breaks input into an array of char, then
converts each char into an int
◆It works with binary and text files - in
constrained mode
◈ $decoded = [char[]][int[]]$encode.Split(',') -
Join '' 32

WMImplant Encoding and Storage
◈ Awesome!
◈ We can now encode and
decode data in a
Constrained Language
compliant manner.
◈ Next Question: where
should it be stored?
34

WMImplant and Data Storage
◈ The initial version of WMImplant used the
system registry to store data
◈ We can easily create and modify registry
values remotely
◆This can be done over WMI with the
StdRegProv
35

◈ Registry Pro:
◆Not limited to a very small size
limitations
◈ Registry Con:
◆Lots of parsers for analyzing a system’s
registry
36

◈ This led to a conversation with Matt
Dunwoody discussing APT 29 tactics
◆They were creating custom WMI
classes, adding properties, and storing
data in WMI properties.
◈ Let’s try to recreate this!
37

WMImplant and Data Storage - New WMI Class
◈ Lucky for us, Matt Graeber already
published code that does this!
38https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-
instrumentation.pdf

WMImplant and Data Storage - New WMI Class
◈ But… there’s a
problem...
39

WMImplant and Data Storage - WMI Property Fail
◈ WMI class creation is allowed within
Constrained Language Mode
◈ WMI property creation is not…
◈ It looks like this idea won’t work
◈ Unless...
41

WMImplant and Data Storage - Existing Classes!
◈ What about if we look at existing WMI classes?
◆ Are their properties writable?
◆ Can they accept a “string” type or any
length?
◆ Can the property be modified in Constrained
Language Mode?
◆ Won’t blue screen the box?
42

◈ Modified an existing script to:
◆Enumerate all WMI classes
◆Enumerate all properties within each
class
◆Find properties of type “string” that are
writable
43https://gist.github.com/ChrisTruncer/f3fe3f04b9fdd1310507363f8bdad8be

◈ This returned a somewhat limited number of
properties
◆Some only allowed a fixed (small)
length of data
◆Others would error when modifying the
property value.
44

WMImplant and Data Storage - Then, there was one
◈ However, this did identify a class that we’ve
not seen before
◆Win32_OSRecoveryConfiguration
◈ This class is used to specify the type of
information that is collected when the
system crashes.
45

WMImplant and Data Storage - Then, there was one
◈ It does have a single property which is
writable, and is a string
◆DebugFilePath - The location where
Windows places a memory dump
following an operating system crash.
47

WMImplant and Data Storage - DebugFilePath
◈ It looks as if it should only accept a file path
location
◈ It looks as if it would be limited in the length
of data it accepts
◈ That’s what it looks like...
49

◈ Awesome!
◈ Demonstrates we can write arbitrary strings
to the DebugFilePath property
◈ Our encoder can work with this!
◈ What about length..?
51

◈ This gives us everything we need!
◆Writeable string property
◆Writeable in Constrained Mode
◆Not fixed in length (256+ MB)
◆Doesn’t blue screen the box :)
53

WMImplant and Data Storage - C2 Comms
1.Query the remote machine’s DebugFilePath
property to receive its original value
2.Use WMI to execute a command (ipconfig)
on the targeted machine
3.Encode the results of the command and store
it in the DebugFilePath property
54

WMImplant and Data Storage - C2 Comms
4. Query the remote system (from attacking
machine) to receive DebugFilePath value
5. Decode the value and display the results
6. Set the DebugFilePath property back to its
original value.
55

WMImplant - C2 Comms
◈ Most of WMImplant’s commands will not
require data storage
◆In this case, results are retrieved with
likely a single WMI query
◈ If storage is required, the previous C2
communications methodology is followed
56

WMImplant Commands
Invoke-WMImplant
57

WMImplant - Commands
◈ Broken up by what they do:
◆Meta Functions
◆File Operations
◆Lateral Movement
◆Process Manipulation
◆System Manipulation
◆Log Analysis
58

WMImplant - Meta Functions
◈ help
◈ exit
◈ change_user - change current user context
for all commands
◈ gen_cli - generate command line command
to run non-interactively
59

WMImplant - File Operations
◈ cat - read file contents
◈ download - downloads file from target
◈ ls - directory and file listing
◈ ninjacopy - copy any file
◈ search - search for file or extension
◈ upload - upload file to target
61

WMImplant - Uploads and Downloads
◈ These are the only commands that still use
the registry for data storage
◆This is due to not knowing the size of
potential uploads or downloads
◆Also due to unknown size limits of the
WMI property (tested up to 256 MB)
64

WMImplant - Uploads
1.Read and encode file that will be uploaded
2.Store in remote system’s registry
3.Start PowerShell on remote system via WMI
4.Read and decode registry value
5.Write decoded results to user-specified file
location
65

WMImplant - Lateral Movement Facilitation
◈ command_exec - Run command and receive
output
◈ enable_wdigest - Set UseLogonPassword
key
◈ enable_winrm - enables WinRM
◈ remote_posh - Runs PowerShell script on
target and receives output 66

Detecting
Malicious WMI
WMI vs. WMI
69

Actively Monitor WMI
1. Use WMI Query Language (WQL) to identify
◆ Recently created “_EventConsumer”
events (persistence)
◆ WMI-based process executions
2. Creates an Event Filter (condition) to perform
an action if any of the above WQL conditions
are true
70

Actively Monitor WMI
3. Creates an Event Consumer (action), to log details of
the newly created “__EventConsumer” or executed
process
a. Set it to log all data to the event log with specific
event ID and event name
b. Very high fidelity!
c. Feed these logs to a SIEM - SNARE or universal
forwarder. Then ALERT!
71

Automating the Process - WMIMonitor
◈ Mandiant WMIMonitor PowerShell Script
found here:
https://github.com/realparisi/WMI_Monitor
◈ Detailed blog post here:
https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html
72

The Result (Command Execution
74

Scale Detection with More Signatures
◈ UpRoot IDS
◆https://github.com/Invoke-IR/Uproot
◈ Includes ~14 signatures instead of 2
◈ Centralized logging so if you have a smaller
budget...1 agent instead of 1000+ agents.
75

WMImplant - Future Work
◈ Implement whitelisting bypasses
◈ Examine the changing defensive landscape
and identify means to repurpose existing
tools
76

WMImplant - Where to get it
◈ WMImplant -
https://github.com/ChrisTruncer/WMImplant
◈ Questions?
◆@ChrisTruncer
◆@Evan_Pena2003
77

Windows 10 Endpoint Security Improvements and Living Off the Land with WMImplant

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Windows 10 Endpoint Security Improvements and Living Off the Land with WMImplant

Similar to Windows 10 Endpoint Security Improvements and Living Off the Land with WMImplant (20)

Recently uploaded

Recently uploaded (20)

Windows 10 Endpoint Security Improvements and Living Off the Land with WMImplant