The document discusses Windows Management Instrumentation (WMI) and its use in malware attacks, detailing its architecture, querying capabilities, and types of eventing. It provides a timeline of specific malware incidents leveraging WMI, including methods of infection and how attackers manipulate WMI for remote code execution. Additionally, it outlines potential defenses against such abuses of WMI within systems.

1. Windows Management
instrumentation – A Front Door for
malwares
Santhosh Kumar

2. Whoami
• Love to Break things apart.
• Hobby Hacker.
• Spoke at Various conferences including
DEFCON las Vegas, OWASP Appsec
USA 2014, Bsides Las Vegas.
• Second time here.

3. Outline
• WM … What?
• WMI malwares Timeline.
• WMI Architecture
• WQL
• WMI providers.
• WMI Eventing
• Demo
• Defenses

4. WM…what?
• System Management both remote and locally.
• Deployed way back in NT4 and Windows 98/95.
• Used to access registry,File System,network etc.
• Eventing,Remoting and Remote Code execution
• Endless possibilities.
• Various tools support.
• Own Query language.

5. Why Should i care?

6. WMI malware Timeline
• MS10-061 – Windows printer spooler
• Attackers Dropped a MOF file to gain RCE.
• Microsoft patched it in KB2347290 Update
http://poppopret.blogspot.in/2011/09/playing-with-mof-f

7. Hammertoss APT (2015)
• Heavy reliance upon WMI and PowerShell
ƒ
• Custom WMI class creation ƒ
• WMI repository used to store payloads of
arbitrary size ƒ
• Results of commands added to WMI
object properties
• https://www2.fireeye.com/rs/848-DID-242/imag

8. Syndicasec (2013-2015)
• 2 stage infection.
• creates a TimerInstruction to raise a
custom event
• Eventfilter is created to link to the
timerinstruction and EvilProviders
• Everytime it is linked the consumer is
executed leaving to RCE
http://www.welivesecurity.com/2013/05/23/syndi

9. WMI architecture
• https://msdn.microsoft.com/en-us/library/aa394553(v=vs.85).aspx

10. Interaction with WMI

11. Interaction with wmi

12. Interaction with wmi

13. winrm

14. Interaction with wmi
• .net
• Vbscript
• Jscript
• C/C++ via IWbem COM API
• More utilities
• http://passing-the-hash.blogspot.in/2013/04/m

15. WQL
• Similar like SQL.Query for WMI objects,classes and
Namespaces.
• Three types of query
• Data Query
• Event Query
• Schema Query
• Useful for RECON
• https://msdn.microsoft.com/en-us/library/aa392902(v=vs.85).a

16. WMI Recon
• Find installed Antivirus

17. WMI recon
• Find the Security Updates installed on the
system
• Find if it is a VM

18. WMI providers
• Form the core working of WMI
• Contains a DLL & MOF file for each
provider
• Have the own listing of GUID for each
provider
• %windir%System32Wbem
• Sometimes there can be a custom wmi
providers

19. Malicous WMI providers
• EvilWMIProvider by Casey Smith (@subTee) –
https://github.com/subTee/EvilWMIProvider
• Invoke-WmiMethod -Class Win32_Evil -Name
ExecShellcode -ArgumentList @(0x90, 0x90, 0x90),
$null
• EvilNetConnectionWMIProvider by Jared Atkinson
(@jaredcatkinson) –
https://github.com/jaredcatkinson/EvilNetConnectionWMI
• Invoke-WmiMethod -Class Win32_NetworkConnection -
Name RunPs -ArgumentList 'whoami' , $null – Get-
WmiObject -Class Win32_NetworkConnection

20. WMI eventing
• Wmi can be used to monitor any type of Operating
system events.
• Classified as two types
• Intrinsic events
• Extrinsic events
• 3 requirement to define a event filter
• Filter,consumer and binding
• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-guide-to-using-wmi-events-an

21. Intrinsic Events
• Intrinsic events are system classes
included in every namespace
• Monitor any changes to the class or
namespace
• Should be executed within the polling
interval
• https://technet.microsoft.com/en-us/library/ee1

22. Extrinsic Events
• Use to monitor resources which is not
included in CIM repository
ROOTCIMV2:Win32_ComputerShutdownEvent
ROOTCIMV2:Win32_IP4RouteTableEvent
ROOTCIMV2:Win32_ProcessStartTrace
ROOTCIMV2:Win32_ModuleLoadTrace
ROOTCIMV2:Win32_ThreadStartTrace
ROOTCIMV2:Win32_VolumeChangeEvent
ROOTCIMV2:Msft_WmiProvider*
ROOTDEFAULT:RegistryKeyChangeEvent
ROOTDEFAULT:RegistryValueChangeEvent

23. Event Filter
• Define which event to trigger
• WMI query
• Intrinsic Query
• SELECT * FROM __InstanceOperationEvent WITHIN 30
WHERE ((__CLASS = "__InstanceCreationEvent" OR
__CLASS = "__InstanceModificationEvent") AND
TargetInstance ISA "CIM_DataFile") AND
(TargetInstance.Extension = "doc") OR
(TargetInstance.Extension = "docx")
• Extrinsic Query
• SELECT * FROM Win32_VolumeChangeEvent WHERE
EventType = 2

24. Event Consumer
• Define what to do when event is called.
• These are the standard event consumers:
LogFileEventConsumer
ActiveScriptEventConsumer
NTEventLogEventConsumer
SMTPEventConsumer
CommandLineEventConsumer

25. WMIGHOST apt
• Targeting indian Users mainly military, energy and government
policy.
• Infection via spear phishing attempt
• Drops a unclassified government file like this

26. WMIGHOST (2014-2015)
• India US strategic dialouge press
release.doc”
(000150415302D7898F56D89C610DE4A
9).
• Then drops if successful dw20.exe and
gupdate.exe
https://github.com/ytisf/theZoo/tree/master/ma
Password:infected

27. ShadowNet APT
• This was detected this year during the tibetian uprising
day.
• Group modified the toolchain to add WMI script for
gathering information and exfiltration.
• Multi Layer C&C server and identifies victim using
encoded strings
Registrant Name: Kasong Dolma
Registrant Street: New York
Registrant City:New York
Registrant State/Province:guangdong
Registrant Postal Code:10001
Registrant Country:CN
Registrant Phone:+1.9175608889
Registrant Email: mike.fly@email.com

28. WMI OFFENSIVE TOOLS

29. DEMO
• Acts like a Shell using WMI as C&C.
• Uses Namespaces for Storing the data.
• Uses Base64 encoding to store the data in
the namespace to avoid firewall and
endpoints
• Decodes Base64 data on attacker
machine

30. Defenses
• Don’t enable WMI Remoting?
• More strict Firewall Rules
• permanent WMI event subscriptions
• Custom Event logs.

31. Books

33. References
• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers
• http://www.welivesecurity.com/2013/05/23/syndicasec-in-the-sin-bin/
• https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/WMIGhost
• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
• http://2014.hackitoergosum.org/slides/day1_WMI_Shell_Andrei_Dumitrescu.pdf
• https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/bg126473(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/aa394554(v=vs.85).aspx
• http://blogs.technet.com/b/heyscriptingguy/archive/2012/06/08/an-insider-s-
guide-to-using-wmi-events-and-powershell.aspx
• http://www.codeproject.com/Articles/28226/Creating-WMI-Permanent-Event-
Subscriptions-Using-M
• http://ytisf.github.io/theZoo/
• https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_IR_Track_Th
ere's_Something_About_WMI.pdf
•