BlackHat Presentation: WMI Architecture Used to Attack

Microsoft’s WMI (Windows Management Infrastructure) presentation by Matt Graeber at BlackHat 2015:

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

wmiarchitecture

You can easily see from the diagram that WMI is integral to Windows technologies.  Matt goes on to create PowerShell code which queries all WMI classes and namespaces.

Some interesting class paths that i found interesting:

CIMV2:Win32_BIOS

CIMV2:Win32_AllocatedResource

and more

PowerShell  seems to be the scripting language to access WMI. He goes on to state how to do that with  various cmdlets.

 

Some differences between WMI and PowerShell is that WMI only works with DCOM whereas CIM cmdlets work with both WinRM and DCOM protocols.

Matt also reviews some WMI GUI tools such as WMI Explorer, WMI Tester

As well as WMI CIM Studio.

Here is where the “security” angle comes in: Remote WMI

DCOM (Distributed Component Object Model) is the default protocol used by WMI and connects over tcp port 135. After the initial connection the port # is randomized.

So the stage is set – we have an integral Microsoft technology in most computers(especially servers), it is capable of performing many functions remotely as well as on the computer.

starting page 15 on the white paper there are Malicious WMI persistence examples, WMI Attacks, Reconnaissance, Persistence, as well as Lateral movement.

 

These are the same steps that all pentesters take, here is where I explain  SVAPE&C: Scan, Vulnerability, Assessment, Penetrate, Exploit & Control in the following link:

http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/

 

WMI seems like it has all the pieces of security, pentesting and defense as well.

Including IDS – Intrusion Detection System

With the right WMI query one can find out what is going on in a Windows computer.

The following 3 steps can be done to protect against WMI attacks.

wmimitigations

 

Update your security policies so that WMI is also reviewed and/or turned off if possible.

 

 

Advertisements