TOPIC: WMI - Exploitation and Detection
OUR GUEST WILL BE:
Chris Truncer - FortyNorthSec
Twitter - @ChrisTruncer and @FortyNorthSec
Blog - https://www.fortynorthsecurity.com/blog
Github - https://www.github.com/FortyNorthSecurity
SPONSORS OF OUR PODCAST
NEWS-WORTHY - Sysinternals release Sysmon 8.0 and AutoRuns 13.90
Mark and crew over at Microsoft have release updates to two popular tools in Sysmon and AutoRuns. Sysmon 8 adds a RuleTag field so now you can label your rules and see the rule name in the logs data. Autoruns fixed data involving WMI, the topic of the day.
Reminder - Do NOT upload files to VirusTotal until you are certain you are not going to disclose anything to the criminals as they will know, that you know about their Fu. Also, anything you upload can be downloaded by anyone with a VT Private Key and if you upload documents with confidential data, you may create a disclosure for yourself.
MALWARE OF THE MONTH
Sadly, none of interest this month ;-(
SITE-WORTHY
1. BDIR - WMI vs. WMI: Monitoring for Malicious Activity
2. Abusing WMI Providers for Persistence
Guests - Chris Truncer
Device Guard Bypass Mitigation Rules
https://github.com/mattifestation/DeviceGuardBypassMitigationRules
WMI Implant Blog - https://www.fortynorthsecurity.com/out-of-the-box-wmimplant-detection-opportunities/
Some IR Tools - https://github.com/Invoke-IR
Matt Graeber's Blog - http://www.exploit-monday.com
TOOL-WORTHY
BDIR - WMILM - Phillip Tsukerman
2. LOG-MD-Pro of course, new WMI persistence feature
Guests - Chris Truncer
WMImplant - https://github.com/FortyNorthSecurity/WMImplant
WMIOps (older) - https://github.com/FortyNorthSecurity/WMIOps
TOPIC OF THE DAY
WMI - Exploitation and Detection
Articles:
Will Schroeder - @ harmj0y
Article on settings needed to enable remote WMI
Matt Graeber BlackHat 2015 - Abusing Windows Management
Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor
Chris Truncer - WMImplant
Other WMI and Exploit Kits for Testing detection:
ASR rules for blocking wmi and psexec process creation
INTERVIEW:
What is WMI
Why do PenTesters and Red Teamers like it?
What are the components of WMI that IR and defenders need to know about
What should defenders, hunters, IR and Forensic people look for?
How to add WMI to your investigations
WMIC cmd line
CIMOM Registry key
HKLM\SOFTWARE\Microsoft\WBEM\CIMOM
Scan the WMI database
Can you block this type of attack, block the following from being accessible
Admin$
wmic /node:"<hostname or IP>" os get Caption
Change key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - set to “0”
Delete key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
Disable Remote RPC from the Firewall maybe
Disable DCOM
Testing lab configuration - See Will’s article below
Add the keys just mentioned
Check Windows firewall for Remote RPC
Test that you can get to Admin$
wmic /node:"<hostname or IP>" os get Caption
If it works, you will get the OS of the remote machine and be able to map the ADMIN$ share
What our testing showed
Impersonation level - “impersonation” + “identification”
9. How to test yourself
WIn Logging Cheat sheet
Humio
The tools discussed
-----------------------------------------------------------------------------------------------