WINDOWS MANAGEMENT INSTRUMENTATION – A FRONTDOOR FOR MALWARES! Windows Management Instrumentation is an implementation of web based enterprise management. WMI was a packaged along with the OS since Windows 2000. In the recent version of Windows it has been bundled by default. Ever since the “protection” has been increased, attackers have been looking for alternative ways to do remote code execution, steal passwords and run with system privileges. There has been an increase in malware binaries which specifically use WMI for various privilege escalation purposes without getting detected. WMI was specifically abused by malware authors to target financial sector. It is easy to create a process on a remote machine with a WMI client. Since 2013 there has been various reports of malware using WMI to gather system data before executing predominant payload. This talk will give an introduction to WMI and demonstrate the various ways that WMI can be used as an attacker’s swiss army knife, how malware authors are using this to leverage their exploits, how the present day tools can be used and how to protect against these type of attacks.

1. Windows Management
instrumentation – A Front Door for
malwares
Santhosh Kumar

2. Whoami
• Love to Break things apart.
• Hobby Hacker.
• Spoke at Various conferences including
DEFCON las Vegas, OWASP Appsec
USA 2014, Bsides Las Vegas.
• Second time here.

3. Outline
• WM … What?
• WMI malwares Timeline.
• WMI Architecture
• WQL
• WMI providers.
• WMI Eventing
• Demo
• Defenses

4. WM…what?
• System Management both remote and locally.
• Deployed way back in NT4 and Windows 98/95.
• Used to access registry,File System,network etc.
• Eventing,Remoting and Remote Code execution
• Endless possibilities.
• Various tools support.
• Own Query language.

5. Why Should i care?

6. WMI malware Timeline
• MS10-061 – Windows printer spooler
• Attackers Dropped a MOF file to gain RCE.
• Microsoft patched it in KB2347290 Update
http://poppopret.blogspot.in/2011/09/playing-with-mof-f

7. Hammertoss APT (2015)
• Heavy reliance upon WMI and PowerShell
ƒ
• Custom WMI class creation ƒ
• WMI repository used to store payloads of
arbitrary size ƒ
• Results of commands added to WMI
object properties
• https://www2.fireeye.com/rs/848-DID-242/imag

8. Syndicasec (2013-2015)
• 2 stage infection.
• creates a TimerInstruction to raise a
custom event
• Eventfilter is created to link to the
timerinstruction and EvilProviders
• Everytime it is linked the consumer is
executed leaving to RCE
http://www.welivesecurity.com/2013/05/23/syndi

9. WMI architecture
• https://msdn.microsoft.com/en-us/library/aa394553(v=vs.85).aspx

10. Interaction with WMI

11. Interaction with wmi

12. Interaction with wmi

13. winrm

14. Interaction with wmi
• .net
• Vbscript
• Jscript
• C/C++ via IWbem COM API
• More utilities
• http://passing-the-hash.blogspot.in/2013/04/m

15. WQL
• Similar like SQL.Query for WMI objects,classes and
Namespaces.
• Three types of query
• Data Query
• Event Query
• Schema Query
• Useful for RECON
• https://msdn.microsoft.com/en-us/library/aa392902(v=vs.85).a

16. WMI Recon
• Find installed Antivirus

17. WMI recon
• Find the Security Updates installed on the
system
• Find if it is a VM

18. WMI providers
• Form the core working of WMI
• Contains a DLL & MOF file for each
provider
• Have the own listing of GUID for each
provider
• %windir%System32Wbem
• Sometimes there can be a custom wmi
providers

19. Malicous WMI providers
• EvilWMIProvider by Casey Smith (@subTee) –
https://github.com/subTee/EvilWMIProvider
• Invoke-WmiMethod -Class Win32_Evil -Name
ExecShellcode -ArgumentList @(0x90, 0x90, 0x90),
$null
• EvilNetConnectionWMIProvider by Jared Atkinson
(@jaredcatkinson) –
https://github.com/jaredcatkinson/EvilNetConnectionWMI
• Invoke-WmiMethod -Class Win32_NetworkConnection -
Name RunPs -ArgumentList 'whoami' , $null – Get-
WmiObject -Class Win32_NetworkConnection

20. WMI eventing
• Wmi can be used to monitor any type of Operating
system events.
• Classified as two types
• Intrinsic events
• Extrinsic events
• 3 requirement to define a event filter
• Filter,consumer and binding
• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-wmi-events-an

21. Intrinsic Events
• Intrinsic events are system classes
included in every namespace
• Monitor any changes to the class or
namespace
• Should be executed within the polling
interval
• https://technet.microsoft.com/en-us/library/ee1

22. Extrinsic Events
• Use to monitor resources which is not
included in CIM repository
ROOTCIMV2:Win32_ComputerShutdownEvent
ROOTCIMV2:Win32_IP4RouteTableEvent
ROOTCIMV2:Win32_ProcessStartTrace
ROOTCIMV2:Win32_ModuleLoadTrace
ROOTCIMV2:Win32_ThreadStartTrace
ROOTCIMV2:Win32_VolumeChangeEvent
ROOTCIMV2:Msft_WmiProvider*
ROOTDEFAULT:RegistryKeyChangeEvent
ROOTDEFAULT:RegistryValueChangeEvent

23. Event Filter
• Define which event to trigger
• WMI query
• Intrinsic Query
• SELECT * FROM __InstanceOperationEvent WITHIN 30
WHERE ((__CLASS = "__InstanceCreationEvent" OR
__CLASS = "__InstanceModificationEvent") AND
TargetInstance ISA "CIM_DataFile") AND
(TargetInstance.Extension = "doc") OR
(TargetInstance.Extension = "docx")
• Extrinsic Query
• SELECT * FROM Win32_VolumeChangeEvent WHERE
EventType = 2

24. Event Consumer
• Define what to do when event is called.
• These are the standard event consumers:
LogFileEventConsumer
ActiveScriptEventConsumer
NTEventLogEventConsumer
SMTPEventConsumer
CommandLineEventConsumer

25. WMIGHOST apt
• Targeting indian Users mainly military, energy and government
policy.
• Infection via spear phishing attempt
• Drops a unclassified government file like this

26. WMIGHOST (2014-2015)
• India US strategic dialouge press
release.doc”
(000150415302D7898F56D89C610DE4A
9).
• Then drops if successful dw20.exe and
gupdate.exe
https://github.com/ytisf/theZoo/tree/master/ma
Password:infected

27. ShadowNet APT
• This was detected this year during the tibetian uprising
day.
• Group modified the toolchain to add WMI script for
gathering information and exfiltration.
• Multi Layer C&C server and identifies victim using
encoded strings
Registrant Name: Kasong Dolma
Registrant Street: New York
Registrant City:New York
Registrant State/Province:guangdong
Registrant Postal Code:10001
Registrant Country:CN
Registrant Phone:+1.9175608889
Registrant Email: mike.fly@email.com

28. WMI OFFENSIVE TOOLS

29. DEMO
• Acts like a Shell using WMI as C&C.
• Uses Namespaces for Storing the data.
• Uses Base64 encoding to store the data in
the namespace to avoid firewall and
endpoints
• Decodes Base64 data on attacker
machine

30. Defenses
• Don’t enable WMI Remoting?
• More strict Firewall Rules
• permanent WMI event subscriptions
• Custom Event logs.

31. Books

33. References
• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers
• http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/
• https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost
• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
• http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf
• https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/bg126473(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx
• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-
guide-to-using-wmi-events-and-powershell.aspx
• http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-
Subscriptions-Using-M
• http://ytisf.github.io/theZoo/
• https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Th
ere's_Something_About_WMI.pdf
•