BDIR Podcast Episode-005

TOPIC: WMI - Exploitation and Detection

OUR GUEST WILL BE:

  • Chris Truncer - FortyNorthSec

  • Twitter - @ChrisTruncer and @FortyNorthSec

  • Blog - https://www.fortynorthsecurity.com/blog

  • Github - https://www.github.com/FortyNorthSecurity

SPONSORS OF OUR PODCAST

Humio.com

Humio.com

LOG-MD.com

LOG-MD.com

NEWS-WORTHY - Sysinternals release Sysmon 8.0 and AutoRuns 13.90

Mark and crew over at Microsoft have release updates to two popular tools in Sysmon and AutoRuns.  Sysmon 8 adds a RuleTag field so now you can label your rules and see the rule name in the logs data.  Autoruns fixed data involving WMI, the topic of the day.

Reminder - Do NOT upload files to VirusTotal until you are certain you are not going to disclose anything to the criminals as they will know, that you know about their Fu.  Also, anything you upload can be downloaded by anyone with a VT Private Key and if you upload documents with confidential data, you may create a disclosure for yourself.

MALWARE OF THE MONTH

Sadly, none of interest this month ;-(

SITE-WORTHY

1.  BDIR - WMI vs. WMI: Monitoring for Malicious Activity

2.  Abusing WMI Providers for Persistence

Guests - Chris Truncer

  1. Device Guard Bypass Mitigation Rules

TOOL-WORTHY

  1. BDIR - WMILM - Phillip Tsukerman

     2. LOG-MD-Pro of course, new WMI persistence feature

Guests - Chris Truncer

  1. WMImplant - https://github.com/FortyNorthSecurity/WMImplant

  2. WMIOps (older) - https://github.com/FortyNorthSecurity/WMIOps

TOPIC OF THE DAY

WMI - Exploitation and Detection

Articles:

Will Schroeder - @ harmj0y

Article on settings needed to enable remote WMI

 

Matt Graeber BlackHat 2015 - Abusing Windows Management

Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor

Chris Truncer - WMImplant

Other WMI and Exploit Kits for Testing detection:

ASR rules for blocking wmi and psexec process creation

 

INTERVIEW:

  1. What is WMI

  2. Why do PenTesters and Red Teamers like it?

  3. What are the components of WMI that IR and defenders need to know about

  4. What should defenders, hunters, IR and Forensic people look for?

  5. How to add WMI to your investigations

    1. WMIC cmd line

    2. CIMOM Registry key

  • HKLM\SOFTWARE\Microsoft\WBEM\CIMOM

  1. Scan the WMI database

  2. Can you block this type of attack, block the following from being accessible

    1. Admin$

    2. wmic /node:"<hostname or IP>" os get Caption

    3. Change key

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - set to “0”

  1. Delete key

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

  1. Disable Remote RPC from the Firewall maybe

  2. Disable DCOM

  3. Testing lab configuration  - See Will’s article below

    1. Add the keys just mentioned

    2. Check Windows firewall for Remote RPC

    3. Test that you can get to Admin$

    4. wmic /node:"<hostname or IP>" os get Caption

  • If it works, you will get the OS of the remote machine and be able to map the ADMIN$ share

  1. What our testing showed

  • Impersonation level - “impersonation” + “identification”

9.  How to test yourself

  • WIn Logging Cheat sheet

  • Humio

  • The tools discussed

-----------------------------------------------------------------------------------------------