Understanding Windows Management Instrumentation(WMI)

Transcript

1. UNDERSTANDING WINDOWS UNDERSTANDING WINDOWS MANAGEMENT INSTRUMENTATION(WMI) MANAGEMENT INSTRUMENTATION(WMI) NULL/OWASP/G4H BLR

   MEET NULL/OWASP/G4H BLR MEET BHARATH KUMAR BHARATH KUMAR 10th March 2018

2. AGENDA AGENDA Why bother understanding WMI? What is WMI? WMI

   overview Using WMI via Powershell WQL Useful WMI queries Offensive tools using WMI Moving Forward

3. WHY BOTHER LEARNING WMI? WHY BOTHER LEARNING WMI? WMI is

   powerful and it is present in all versions of Windows starting from Windows 2000 WMI can be leveraged for system/domain administration, offensive and defensive purposes It's fun to learn WMI

4. The infamous Stuxnet malware used WMI for infection https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.

5. APT 29 has been using WMI for infection and persistence

   https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national- committee/

6. WMI has been used by adversaries in the recent hacks

   at Winter Olympics https://www.cymulate.com/hacking-the-2018-winter-olympics/

7. WHAT IS WMI? WHAT IS WMI? Windows Management Instrumentation is

   a core component of Windows that can be used to manage both local and remote computers https://technet.microso .com/en-us/library/ee692772.aspx

8. WEB-BASED ENTERPRISE MANAGEMENT WEB-BASED ENTERPRISE MANAGEMENT (WBEM) (WBEM) Data collection

   and management standards in distributed computing environment WBEM answers the "what" should this data exchange and remote management look like

9. COMMON INFORMATION MODEL (CIM) COMMON INFORMATION MODEL (CIM) CIM is

   an open standard that defines "how" managed elements in a distributed environment are represented as a common set of objects and relationships between them Object Oriented paradigm

10. WINDOWS MANAGEMENT WINDOWS MANAGEMENT INSTRUMENTATION(WMI) INSTRUMENTATION(WMI) WMI is the Microso

    implementation of CIM for the Windows platform.

11. CIM/WMI CIM/WMI Representation of anything within a computer system Namespaces

    Classes Objects Methods Properties Events Event consumers

12. NAMESPACES NAMESPACES Collection of classes Nested namespaces can exist In

    WMI, every namespace exists under "ROOT" namespace Default namespace in WMI is "ROOT\cimv2"

13. CLASSES CLASSES Class is a blueprint for an object Classes

    are abstract Classes define methods and properties In context of WMI, any Windows component can be a class like process, service, user and file

14. OBJECTS OBJECTS object refers to a particular instance of a

    class In WMI context, not all classes may have objects For example, win32_fan is a WMI class that represents properties of fan device on computer. This class might not have an object instance on VirtualBox guests

15. https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows- Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless- Backdoor-wp.pdf

16. WMI USING POWERSHELL WMI USING POWERSHELL WMI cmdlets WMI cmdlets

    operate over DCOM protocol on TCP port 135 Get-Command -Noun wmi* https://msdn.microso .com/en-us/library/ee309379(v=vs.85).aspx

17. CIM cmdlets CIM cmdlets are available in > PS v3

    (Above Windows 7) Operates over WS-MAN protocol over TCP 5985/5986. Can be forced to use DCOM Get-Command -Noun cmi* https://blogs.msdn.microso .com/powershell/2012/08/24/introduction-to-cim-cmdlets/

18. LIST ALL NAME SPACES LIST ALL NAME SPACES Get-WMIObject -Namespace

    root -Class "__Namespace" | select na

19. GET USER ACCOUNT DETAILS GET USER ACCOUNT DETAILS Get-WMIObject Win32_useraccount

    -Filter "Name like '%Arvi%'"

20. WINDOWS MANAGEMENT WINDOWS MANAGEMENT INSTRUMENTATION QUERY LANGUAGE INSTRUMENTATION QUERY LANGUAGE

    (WQL) (WQL) Microso 's implementation of the CIM Query Language (CQL) subset of ANSI standard SQL SELECT * FROM WIN32_Process where Name like '%Notepad%'"

21. GET USER ACCOUNT DETAILS USING WQL GET USER ACCOUNT DETAILS

    USING WQL gwmi -query "SELECT * FROM WIN32_useraccount WHERE Name like '

22. LIST OF PROCESSES RUNNING ON LIST OF PROCESSES RUNNING ON

    REMOTE MACHINE REMOTE MACHINE gwmi win32_process -ComputerName <remote-hostname> -Credential

23. LIST OF ALL USERS ON THE DOMAIN LIST OF ALL

    USERS ON THE DOMAIN gwmi win32_useraccount -ComputerName <remote-hostname> -Creden

24. WHAT DOES WMI PROVIDE FOR WHAT DOES WMI PROVIDE FOR

    ATTACKERS? ATTACKERS? 1. Information gathering 2. Lateral movement 3. Command/Script execution 4. Storage 5. Persistence

25. LIST ALL THE GROUPS IN DOMAIN LIST ALL THE GROUPS

    IN DOMAIN gwmi win32_group -ComputerName <remote-hostname> -Credential D

26. FIND THE ANTI VIRUS PRODUCT NAME FIND THE ANTI VIRUS

    PRODUCT NAME gwmi -Namespace root\SecurityCenter2 -Class AntiVirusProduct |

27. STEALING SESSION DETAILS/KEYS STEALING SESSION DETAILS/KEYS

28. FINDING CURRENT DOMAIN FINDING CURRENT DOMAIN CONTROLLER CONTROLLER gwmi -Namespace

    root\directory\ldap -Class ds_computer | where

29. FINDING DOMAIN THAT REMOTE FINDING DOMAIN THAT REMOTE MACHINE IS

    PART OF MACHINE IS PART OF gwmi -Namespace root\directory\ldap -Class ds_computer -Comput

30. INTERACTING WITH WMI USING INTERACTING WITH WMI USING IMPACKET IMPACKET

    wmiexec.py

31. wmiquery.py

32. WMI EVENTS WMI EVENTS PowerLurk Register-MaliciousWmiEvent -EventName alert-on-calc -Permanent https://pentestarmoury.com/2016/07/13/151/

33. WMI CONSUMERS WMI CONSUMERS ActiveScriptEventConsumer & CommandLineEventConsumer are very useful

    in red team engagements LogFileEventConsumer & NTEventLogConsumer are very useful for blue teams or admins

34. WHAT'S NOT COVERED? WHAT'S NOT COVERED? WMI events in-depth WMI

    for persistence & backdoor WMI for storage

35. LAB SETUP LAB SETUP

36. SETTING UP ACTIVE DIRECTORY SETTING UP ACTIVE DIRECTORY Setting up

    AD is very easy It can be done in under 5 powershell commands https://blogs.technet.microso .com/uktechnet/2016/06/08/setting-up-active-directory-via- powershell/

37. AUTOMATING LAB SETUP AUTOMATING LAB SETUP You can use provisioning

    so ware like vagrant, terraform to automate Active Directory lab setup A reference lab setup can be found in the following link https://github.com/StefanScherer/adfs2

38. ACTIVE DIRECTORY(AD) ON CLOUD ACTIVE DIRECTORY(AD) ON CLOUD Active Directory

    environment can be setup painlessly(subjective) on cloud services like AWS, Azure Instructions to set up AD in the cloud: TBD

39. REFERENCES REFERENCES https://technet.microso .com/en-us/library/cc181125.aspx https://www.youtube.com/watch?v=WwI-Rilu2N4 https://www.youtube.com/watch?v=hGYag0huELE&t=603s https://www.sans.org/summit-archives/file/summit_archive_1492184420.pdf https://www.coresecurity.com/corelabs-research/open-source-tools/impacket https://pentestarmoury.com/2016/07/13/151/ https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-

    windows-management-instrumentation.pdf

40. TALK CONTENT TALK CONTENT https://github.com/yamakira/understanding-wmi

41. ABOUT ME ABOUT ME Bharath Kumar Security Engineer @ Offensive

    Security Certified Professional(OSCP) Appsecco https://disruptivelabs.in @yamakira_