This document discusses the use of PowerShell and Windows Management Instrumentation (WMI) by attackers. It provides background on these tools and their capabilities. It then gives examples of how attackers may use PowerShell and WMI for activities like downloading files, achieving persistence, and pivoting within a network. The document concludes by discussing defenses like logging and monitoring these tools to detect malicious use.

3. • Quick Background
• Malicious Possibilities
• Real-World Examples
• Detection & Defense

4. • Joe Slowik, Adversary Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out

5. • Scripting and interactive language
• Introduced in 2006, integral to Win7+
since 2009
• Full access to COM & WMI for system
administration

6. • WMI = Windows Management
Instrumentation
• Interactive and scriptable framework
for local and remote administration
• Frequently accessed via PowerShell

7. http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png

8. http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png

9. http://www.opentechguides.com/how-to/article/powershell/132/get-
system-info-remotely.html

10. https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png

11. http://www.freeiconspng.co
m/img/17209
• PowerShell is a powerful,
useful tool for network
administration
• Widely used in Windows
Enterprise environments

12. • WMI enables significant access to
review and modify system data
• Access via PowerShell allows for
scripting and automated possibilities

14. • PowerShell’s ubiquity adds a significant
capability to potential attacker
• Enhances ability to ‘live off the land’
• Expands initial infection vectors

15. Command Use
-EncodedCommand Accepts Base64-encoded input for
execution within PowerShell
(New-Object
System.New.Webclient).DownloadFile()
Download a file from a remote location;
can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script
execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands

16. Delivery
Vectors
VBA
VBS
BAT
JS
Registry
Startup
.lnk

17. https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg

18. • WMI is also ubiquitous, potent ‘dual-use’
• Can enable:
• Complex exploitation, persistence of
infected host
• New vectors to pivot within network

19. • PsExec-like remote execution
• Malicious file/script storage
• Persistence when combined with file or
registry activity

20. • Pentesting frameworks
• Crimeware/Commodity malware
• APT

23. • Malicious VBA decodes to PowerShell
• Retrieves, then executes ransomware
payload

25. • WMI filter retrieved on schedule
• Returns base64-encoded PowerShell
• PowerShell re-launches backdoor
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

27. https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png

28. CMD
•Command
execution
•Execution
Parameters
PowerShell
•Interactive and
Scripts
•Flags, Modifiers,
full Visibility
WMI
• Log Events
• Correlate
with Other
Activity

29. What is
required to
achieve
‘bad’?
Process
Execution
Persistence
Encode
Decode
Download
Upload

30. • Sysinternals Sysmon
• Windows Loggging Service (WLS)
• WMI Logging via WMI Subscription
• PowerShell Logging
• Proprietary Host-based Security

31. • WLS incorporates PowerShell logging natively
• Otherwise:
• Windows 7+
• Powershell 5.0+
• Enable logging!
• See:
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html

32. • Sysinternals Sysmon – latest version
includes WMI visibility
• But logging/alerting will need to be
tuned
• DIY via WMI Subscription creation
• Otherwise – commercial products

33. Establish
Visibility
Baseline
‘Normal’
Identify
Malicious
Create Alerts
& Alarms
Develop
Response

34. • What PowerShell/WMI scripts are used
in ‘normal’ network administration?
• What commands never have legitimate
use?
• What – if any – items require
whitelisting?

36. wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”
SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”
$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()

38. • Create Event Consumer: performs action when
triggered by event
• Pair with Event Filter: events of interest
• Filter to Consumer Binding: bind filter to
consumer
• Export results to log file, data store
• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html