TOPIC: WMI - Exploitation and Detection

OUR GUEST WILL BE:

Chris Truncer - FortyNorthSec
Twitter - @ChrisTruncer and @FortyNorthSec
Blog - https://www.fortynorthsecurity.com/blog
Github - https://www.github.com/FortyNorthSecurity

SPONSORS OF OUR PODCAST

NEWS-WORTHY - Sysinternals release Sysmon 8.0 and AutoRuns 13.90

Mark and crew over at Microsoft have release updates to two popular tools in Sysmon and AutoRuns. Sysmon 8 adds a RuleTag field so now you can label your rules and see the rule name in the logs data. Autoruns fixed data involving WMI, the topic of the day.

Sysinternals website

Reminder - Do NOT upload files to VirusTotal until you are certain you are not going to disclose anything to the criminals as they will know, that you know about their Fu. Also, anything you upload can be downloaded by anyone with a VT Private Key and if you upload documents with confidential data, you may create a disclosure for yourself.

MALWARE OF THE MONTH

Sadly, none of interest this month ;-(

SITE-WORTHY

1. BDIR - WMI vs. WMI: Monitoring for Malicious Activity

https://www.fireeye.com/blog/threat-research/2016/08/wmi_vs_wmi_monitor.html

2. Abusing WMI Providers for Persistence

https://www.slideshare.net/PhilipTsukerman/abusing-wmi-providers-for-persistence-bsidestlv

Guests - Chris Truncer

Device Guard Bypass Mitigation Rules

https://github.com/mattifestation/DeviceGuardBypassMitigationRules
WMI Implant Blog - https://www.fortynorthsecurity.com/out-of-the-box-wmimplant-detection-opportunities/
Some IR Tools - https://github.com/Invoke-IR
Matt Graeber's Blog - http://www.exploit-monday.com

TOOL-WORTHY

BDIR - WMILM - Phillip Tsukerman

https://github.com/Cybereason/Invoke-WMILM

2. LOG-MD-Pro of course, new WMI persistence feature

www.LOG-MD.com

Guests - Chris Truncer

WMImplant - https://github.com/FortyNorthSecurity/WMImplant
WMIOps (older) - https://github.com/FortyNorthSecurity/WMIOps

TOPIC OF THE DAY

WMI - Exploitation and Detection

Articles:

Will Schroeder - @ harmj0y

Article on settings needed to enable remote WMI

https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/

Matt Graeber BlackHat 2015 - Abusing Windows Management

Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor

Chris Truncer - WMImplant

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

Other WMI and Exploit Kits for Testing detection:

https://pentestlab.blog/2017/11/20/command-and-control-wmi/

ASR rules for blocking wmi and psexec process creation

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

INTERVIEW:

What is WMI
Why do PenTesters and Red Teamers like it?
What are the components of WMI that IR and defenders need to know about
What should defenders, hunters, IR and Forensic people look for?
How to add WMI to your investigations
1. WMIC cmd line
2. CIMOM Registry key

HKLM\SOFTWARE\Microsoft\WBEM\CIMOM

Scan the WMI database
Can you block this type of attack, block the following from being accessible
1. Admin$
2. wmic /node:"<hostname or IP>" os get Caption
3. Change key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - set to “0”

Delete key

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

Disable Remote RPC from the Firewall maybe
Disable DCOM
Testing lab configuration - See Will’s article below
1. Add the keys just mentioned
2. Check Windows firewall for Remote RPC
3. Test that you can get to Admin$
4. wmic /node:"<hostname or IP>" os get Caption

If it works, you will get the OS of the remote machine and be able to map the ADMIN$ share

What our testing showed

Impersonation level - “impersonation” + “identification”

9. How to test yourself

WIn Logging Cheat sheet
Humio
The tools discussed

-----------------------------------------------------------------------------------------------