Upload
joe-slowik
View
486
Download
5
Embed Size (px)
Citation preview
• Quick Background• Malicious Possibilities• Real-World Examples• Detection & Defense
• Joe Slowik, Adversary Hunter• Current: Dragos Adversary Hunter• Previous:
• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out
• Scripting and interactive language• Introduced in 2006, integral to Win7+
since 2009• Full access to COM & WMI for system
administration
• WMI = Windows Management Instrumentation
• Interactive and scriptable framework for local and remote administration
• Frequently accessed via PowerShell
http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
http://www.opentechguides.com/how-to/article/powershell/132/get-system-info-remotely.html
https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
http://www.freeiconspng.com/img/17209
• PowerShell is a powerful, useful tool for network administration
• Widely used in Windows Enterprise environments
• WMI enables significant access to review and modify system data
• Access via PowerShell allows for scripting and automated possibilities
• PowerShell’s ubiquity adds a significant capability to potential attacker
• Enhances ability to ‘live off the land’• Expands initial infection vectors
Command Use
-EncodedCommand Accepts Base64-encoded input for execution within PowerShell
(New-Object System.New.Webclient).DownloadFile()
Download a file from a remote location; can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands
DeliveryVectors
VBA
VBS
BAT
JS
Registry
Startup.lnk
https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
• WMI is also ubiquitous, potent ‘dual-use’• Can enable:• Complex exploitation, persistence of
infected host• New vectors to pivot within network
• PsExec-like remote execution• Malicious file/script storage• Persistence when combined with file or
registry activity
• Pentesting frameworks• Crimeware/Commodity malware• APT
• Malicious VBA decodes to PowerShell• Retrieves, then executes ransomware
payload
• WMI filter retrieved on schedule• Returns base64-encoded PowerShell• PowerShell re-launches backdoor
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
CMD•Command
execution
•Execution Parameters
PowerShell• Interactive and
Scripts
• Flags, Modifiers, full Visibility
WMI• Log Events
• Correlate with Other Activity
What is required to
achieve ‘bad’?
Process Execution
PersistenceEncodeDecode
DownloadUpload
• Sysinternals Sysmon• Windows Loggging Service (WLS)• WMI Logging via WMI Subscription• PowerShell Logging• Proprietary Host-based Security
• WLS incorporates PowerShell logging natively• Otherwise:
• Windows 7+• Powershell 5.0+• Enable logging!
• See: • https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
• Sysinternals Sysmon – latest version includes WMI visibility• But logging/alerting will need to be
tuned• DIY via WMI Subscription creation• Otherwise – commercial products
Establish Visibility
Baseline ‘Normal’
Identify Malicious
Create Alerts & Alarms
Develop Response
• What PowerShell/WMI scripts are used in ‘normal’ network administration?
• What commands never have legitimate use?
• What – if any – items require whitelisting?
wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”
SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”
$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()
• Create Event Consumer: performs action when triggered by event
• Pair with Event Filter: events of interest• Filter to Consumer Binding: bind filter to
consumer• Export results to log file, data store• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html