BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI

•

1 like•776 views

This slide deck was presented at BlackHat USA 2019 Arsenal and is titled WMImplant: An Offensive Use Case of WMI. This covers how WMImplant weaponizes WMI.

Technology

WMImplant: An Offensive Use Case of WMI
@ChrisTruncer

• WMImplant is a PowerShell-based post-exploitation tool designed
to attack systems leveraging Application Whitelisting
• Specifically Device Guard/Windows Defender Application Control
• It utilizes a “living off the land” approach to compromise and take
action against protected systems
• WMImplant leverages WMI for all stages of an attack
• The means to trigger an action (run a command)
• The C2 channel
• Data storage
• Why?

• Windows Defender Application Control/Device Guard enforce
application whitelisting rules on a system
• Just like any app whitelisting software
• So how can you attack it?
• Develop an application whitelisting bypass
• Regsvr32
• MSBuild
• InstallUtil
• These are incredibly effective
• But they cost time and research == MONEY

• The other method to attack is to live off the land
• What is likely allowed to run on an app whitelisting protected
system?
• Most Microsoft applications (signed)
• Most default services
• PowerShell
• Is it possible to leverage these?

• WMI == Windows
Management Instrumentation
• A service installed and enabled
by default since Windows
2000
• Enables
attackersadministrators to
admin systems
• Get free disk space
• Start processes
• Etc. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-
Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

• WMI is easily weaponized by
attackers to run programs
• But it has a “blind process
creation” problem
• We can run programs
• But we can’t get any output!
• Let’s try to solve this issue
https://community.spiceworks.com/how_to/127139-run-a-command-on-a-remote-computer

• Within your Windows system is a specific WMI class
(Win32_OSRecoveryConfiguration)
• The DebugFilePath property is a writeable property which instructs
Windows where to create a memory dump
• There is no validation performed on the property value

• There also isn’t a file size restriction

• By having an area to store data,
we can solve the process
output creation problem
• Store data within the WMI
property!
• When weaponized, we can also
remotely run PowerShell
Script, and get their output, all
in memory!
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-
Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

• More information can be found at the Github Repo, along with a
Wiki containing a large amount of documentation!
• https://github.com/FortyNorthSecurity/WMImplant
• https://github.com/FortyNorthSecurity/WMImplant/wiki
• @ChrisTruncer

Similar to BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI

Best practices to secure Windows10 with already included features

Alexander Benoit

Protection from hacking attacks

Sugirtha Jasmine M

VMI based malware detection in virtual environment

Ayush Gargya

Trend Micro VForum Agentless Scanning Presentation

Graeme Wood

Application Explosion How to Manage Productivity vs Security

Lumension

Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process. We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool. Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

CODE BLUE

MIT-6-determina-vps.ppt

webhostingguy

Metasploit

Lalith Sai

Chapter 2 Presentation

Amy McMullin

Introduction to Trusted Virtual Client

gustavoeliano

Computer security: hackers and Viruses

Wasif Ali Syed

Globally.docx

GermanERuizCorrales

OSB240: What's New in Ivanti Application Control

Ivanti

AppLocker, Windows Information Protection, Device Guard, Windows Defender Application Guard- there are many ways to secure Windows 10. Not all ways are compatible with Enterprise requirements. In the session, we will have a look at what we are able to do and I will add some experiences from the field about what works well and what doesn’t. In addition, we will check how ConfigMgr can support us.

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

Alexander Benoit

how-to-bypass-AM-PPL

nitinscribd

Cyber-Security-Unit-4.pptx

TikdiPatel

CSF18 - Moving from Reactive to Proactive Security - Sami Laiho

NCCOMMS

APTs are often associated with highly-customized malware, specifically tailored for the target of the attack. But in 2014, several APT-Style attacks involved the use of massively distributed malware to gain access to enterprise systems and corporate data. The use of massively distributed malware provides significant advantages to the attackers who no longer need to spear phish targets or design custom malware. Instead, they use mass-distribution techniques to infect as many PCs as possible. According to IBM Trusteer research, 1:500 PCs in the world is already infected with Citadel, Zeus, or similar malware. Once a machine is infected with the malware, a new instruction set can be provided to turn the malware against different targets, or work with different command and controls (C&C) servers. In this webinar, Dana Tamir, Director of Enterprise Security Product Marketing, examines the use of massively distributed malware in recent APT-Style attacks and discusses the impact of this emerging trend on enterprise IT security paradigms. You will learn: • Which types of malware used in these attacks • How evasion techniques are used to bypass detection solutions • What kind of information is most targeted • How Trusteer Apex addresses these threats with a new approach to endpoint security View the on-demand recording: https://attendee.gotowebinar.com/recording/4288360696484026881

Using Massively Distributed Malware in APT-Style Attacks

IBM Security

Android security

Mohamed Alharbi

android Security

darkC0de

Similar to BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI (20)

Best practices to secure Windows10 with already included features

Protection from hacking attacks

VMI based malware detection in virtual environment

Trend Micro VForum Agentless Scanning Presentation

Application Explosion How to Manage Productivity vs Security

[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...

MIT-6-determina-vps.ppt

Metasploit

Chapter 2 Presentation

Introduction to Trusted Virtual Client

Computer security: hackers and Viruses

Globally.docx

OSB240: What's New in Ivanti Application Control

Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...

how-to-bypass-AM-PPL

Cyber-Security-Unit-4.pptx

CSF18 - Moving from Reactive to Proactive Security - Sami Laiho

Using Massively Distributed Malware in APT-Style Attacks

Android security

android Security

Recently uploaded

We're living the AI revolution and Salesforce is adapting and bring new value to their customers. Einstein products are evolving rapidly and navigating their limitations, language support, and use cases can be challenging. Let's make review of what Einstein product are available currently, what are the capabilities and what can be used for in CEE region and how Rossie.ai can help to learn Salesforce speak Czech. We will explore the Einstein roadmap and I will make a short live demo (based on your vote) of some Einstein feature.

AI revolution and Salesforce, Jiří Karpíšek

CzechDreamin

The Metaverse: Are We There Yet?

Mark Billinghurst

Unlock the mysteries of successful Salesforce interviews in this insightful session hosted by Hugo Rosario (Salesforce Customer), a seasoned hiring manager that leads the Salesforce Department of multinational company with over 100 interviews under their belt. Step into the manager's chair and gain exclusive behind-the-scenes insights into what makes a Salesforce consultant stand out during the interview process. From deciphering the unspoken cues to mastering key strategies, we'll explore the intricacies of the interview process and provide practical tips for consultants looking to not only pass interviews but also thrive in their roles. Whether you're a seasoned professional or just starting your Salesforce journey, this session is your backstage pass to the secrets that hiring managers wish you knew.

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

CzechDreamin

Speed Wins: From Kafka to APIs in Minutes

confluent

This talk focuses on the practical aspects of integrating various telephony systems with Salesforce, drawing on examples from implementations in the Czech scene. It aims to inform attendees about the spectrum of telephony solutions available, from small to large scale, and their compatibility with Salesforce. The presentation will highlight key considerations for selecting a telephony provider that integrates smoothly with Salesforce, including important questions to support the decision-making process. It will also discuss methods for integrating existing telephony systems with Salesforce, aimed at companies contemplating or in the process of adopting this CRM platform. The discussion is designed to provide a straightforward overview of the steps and considerations involved in telephony and Salesforce integration, with an emphasis on functionality, compatibility, and the practical experiences of Czech companies.

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

CzechDreamin

The Epson EcoTank L3210 is a high-performance and cost-efficient printer designed to meet the printing needs of both home users and small businesses. Equipped with Epson’s revolutionary EcoTank ink tank system, the Epson eliminates the need for traditional ink cartridges, thereby significantly reducing printing costs and plastic waste. With its PrecisionCore technology, this printer delivers sharp, vibrant prints for both documents and photos. Its user-friendly design ensures easy setup and operation, while its compact form factor saves valuable desk space. Whether it’s everyday printing jobs or creative projects, the Epson EcoTank L3210 provides a reliable and eco-friendly printing solution.

Buy Epson EcoTank L3210 Colour Printer Online.pptx

EasyPrinterHelp

Agentic RAG What it is its types applications and implementation.pdf

ChristopherTHyatt

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

Intro in Product Management - Коротко про професію продакт менеджера

Mark Opanasiuk

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Zilliz

This presentation focuses on the challenges and strategies of connecting problem definitions within product development. Key Points Covered: - Kayak's mission since its inception in 2004 to simplify travel by enabling easy comparisons of flights through technological solutions. - Discussion of the complexities within the travel industry, including the high expectations for personalized user experiences and the various stakeholder influences. - Emphasis on the necessity of maintaining agility and innovation within a mature company through continuous reassessment of processes. - An explanation of the importance of disciplined problem definition to prevent project failures and team inefficiencies. - Introduction of strategies for effective communication across teams to ensure alignment and comprehension at all levels of project development. - Exploration of various problem-solving methodologies, including how to handle conflicts within team settings regarding problem definitions and project directions.

Connecting the Dots in Product Design at KAYAK

UXDXConf

Syngulon’s technology expands the capacity for selection of microorganisms. The ability to select individual microbes with a behavior of interest is essential, whether for simple cloning at the bench, or for industry-scale production. Synthetic biology uses the concept of “bioengineering” to improve or modify existing genetic systems to create microbes with desired behaviors, and Syngulon uses this approach to develop its selection technologies. This selection technology is based on bacteriocins, ribosomally-produced peptides naturally made by most bacteria to kill competitive microbial species. These bacteriocins can have a limited or wide target range against other microbial species. This technology offers advantageous over antibiotic selection for several reasons: it avoids the use of antibiotics in the first place, helping to reduce the spread of antibiotic resistant microbes. The technology also increases product yield; as bacteriocins are generally smaller peptides, they do not impose a heavy metabolic burden on the producing cell. They can have a wide target specificity, helping to avoid genetic drift. Finally, our system is 100% plasmid-based (e.g. without chromosomal mutations), making it applicable for use in any E. coli strains.

Syngulon - Selection technology May 2024.pdf

Syngulon

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

FIDO Alliance

Buy Epson EcoTank L3210 Colour Printer Online.pdf

EasyPrinterHelp

IoT Analytics Company Presentation May 2024

IoTAnalytics

Already know how to write a basic SOQL query? Great! But what about an *aggregate* SOQL query? You know, the kind that uses aggregate functions like COUNT & MAX along with GROUP BY and HAVING clauses? No? Well, get ready to learn how to slice & dice your org’s data right inside your own dev console. From finding duplicate records to prototyping summary & matrix reports, learn the ins and outs of aggregate queries during this fast-paced but admin-friendly session on advanced SOQL concepts.

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

CzechDreamin

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

FIDO Alliance

Explore the core of Salesforce success in 'Salesforce Adoption – Metrics, Methods, and Motivation.' We will discuss essential metrics, effective methods to drive adoption, and the driving force behind user engagement and explore strategies for onboarding, training, and continuous support that empower users to navigate the platform seamlessly. By leveraging these tools, you can effectively measure adoption against your company’s goals and create an environment where users not only adopt Salesforce but actively contribute to its ongoing success.

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

CzechDreamin

PLAI - Acceleration Program for Generative A.I. Startups

Stefano

In this session, we will showcase how to revolutionize automated testing for your software, automation, and QA teams with UiPath Test Suite. In part 1 of UiPath test automation using UiPath Test Suite – developer series, we will cover, Software testing overview What is software testing Why software testing is required Typical test types and levels Continuous testing and challenges Introduction to UiPath Test Suite UiPath Test Suite family of products Speaker: Atul Trikha, Chief Technologist & Solutions Architect, Peraton and UiPath MVP Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

UiPath Test Automation using UiPath Test Suite series, part 1

DianaGray10

Recently uploaded (20)

AI revolution and Salesforce, Jiří Karpíšek

The Metaverse: Are We There Yet?

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

Speed Wins: From Kafka to APIs in Minutes

Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

Buy Epson EcoTank L3210 Colour Printer Online.pptx

Agentic RAG What it is its types applications and implementation.pdf

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

Intro in Product Management - Коротко про професію продакт менеджера

Introduction to Open Source RAG and RAG Evaluation

Connecting the Dots in Product Design at KAYAK

Syngulon - Selection technology May 2024.pdf

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

Buy Epson EcoTank L3210 Colour Printer Online.pdf

IoT Analytics Company Presentation May 2024

SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

PLAI - Acceleration Program for Generative A.I. Startups

UiPath Test Automation using UiPath Test Suite series, part 1

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI

2. WMImplant: An Offensive Use Case of WMI @ChrisTruncer

3. • WMImplant is a PowerShell-based post-exploitation tool designed to attack systems leveraging Application Whitelisting • Specifically Device Guard/Windows Defender Application Control • It utilizes a “living off the land” approach to compromise and take action against protected systems • WMImplant leverages WMI for all stages of an attack • The means to trigger an action (run a command) • The C2 channel • Data storage • Why?

4. • Windows Defender Application Control/Device Guard enforce application whitelisting rules on a system • Just like any app whitelisting software • So how can you attack it? • Develop an application whitelisting bypass • Regsvr32 • MSBuild • InstallUtil • These are incredibly effective • But they cost time and research == MONEY

5. • The other method to attack is to live off the land • What is likely allowed to run on an app whitelisting protected system? • Most Microsoft applications (signed) • Most default services • PowerShell • Is it possible to leverage these?

6. • WMI == Windows Management Instrumentation • A service installed and enabled by default since Windows 2000 • Enables attackersadministrators to admin systems • Get free disk space • Start processes • Etc. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management- Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

7. • WMI is easily weaponized by attackers to run programs • But it has a “blind process creation” problem • We can run programs • But we can’t get any output! • Let’s try to solve this issue https://community.spiceworks.com/how_to/127139-run-a-command-on-a-remote-computer

8. • Within your Windows system is a specific WMI class (Win32_OSRecoveryConfiguration) • The DebugFilePath property is a writeable property which instructs Windows where to create a memory dump • There is no validation performed on the property value

10. • There also isn’t a file size restriction

11.

12. • By having an area to store data, we can solve the process output creation problem • Store data within the WMI property! • When weaponized, we can also remotely run PowerShell Script, and get their output, all in memory! https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management- Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

13.

14. • More information can be found at the Github Repo, along with a Wiki containing a large amount of documentation! • https://github.com/FortyNorthSecurity/WMImplant • https://github.com/FortyNorthSecurity/WMImplant/wiki • @ChrisTruncer

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI

Recommended

Recommended

More Related Content

Similar to BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI

Similar to BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI (20)

More from CTruncer

More from CTruncer (17)

Recently uploaded

Recently uploaded (20)

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI