My presentation from SANS DFIR Summit covering PowerShell and WMI.

3. • Quick Background
• Malicious Possibilities
• Real-World Examples
• Detection & Defense

4. • Joe Slowik, Adversary Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out

5. • Scripting and interactive language
• Introduced in 2006, integral to Win7+
since 2009
• Full access to COM & WMI for system
administration

6. • WMI = Windows Management
Instrumentation
• Interactive and scriptable framework
for local and remote administration
• Frequently accessed via PowerShell

7. http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png

8. http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png

9. http://www.opentechguides.com/how-to/article/powershell/132/get-
system-info-remotely.html

10. https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png

11. http://www.freeiconspng.co
m/img/17209
• PowerShell is a powerful,
useful tool for network
administration
• Widely used in Windows
Enterprise environments

12. • WMI enables significant access to
review and modify system data
• Access via PowerShell allows for
scripting and automated possibilities

14. • PowerShell’s ubiquity adds a significant
capability to potential attacker
• Enhances ability to ‘live off the land’
• Expands initial infection vectors

15. Command Use
-EncodedCommand Accepts Base64-encoded input for
execution within PowerShell
(New-Object
System.New.Webclient).DownloadFile()
Download a file from a remote location;
can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script
execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands

16. Delivery
Vectors
VBA
VBS
BAT
JS
Registry
Startup
.lnk

17. https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg

18. • WMI is also ubiquitous, potent ‘dual-use’
• Can enable:
• Complex exploitation, persistence of
infected host
• New vectors to pivot within network

19. • PsExec-like remote execution
• Malicious file/script storage
• Persistence when combined with file or
registry activity

20. • Pentesting frameworks
• Crimeware/Commodity malware
• APT

23. • Malicious VBA decodes to PowerShell
• Retrieves, then executes ransomware
payload

25. • WMI filter retrieved on schedule
• Returns base64-encoded PowerShell
• PowerShell re-launches backdoor
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

27. https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png

28. CMD
•Command
execution
•Execution
Parameters
PowerShell
•Interactive and
Scripts
•Flags, Modifiers,
full Visibility
WMI
• Log Events
• Correlate
with Other
Activity

29. What is
required to
achieve
‘bad’?
Process
Execution
Persistence
Encode
Decode
Download
Upload

30. • Sysinternals Sysmon
• Windows Loggging Service (WLS)
• WMI Logging via WMI Subscription
• PowerShell Logging
• Proprietary Host-based Security

31. • WLS incorporates PowerShell logging natively
• Otherwise:
• Windows 7+
• Powershell 5.0+
• Enable logging!
• See:
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html

32. • Sysinternals Sysmon – latest version
includes WMI visibility
• But logging/alerting will need to be
tuned
• DIY via WMI Subscription creation
• Otherwise – commercial products

33. Establish
Visibility
Baseline
‘Normal’
Identify
Malicious
Create Alerts
& Alarms
Develop
Response

34. • What PowerShell/WMI scripts are used
in ‘normal’ network administration?
• What commands never have legitimate
use?
• What – if any – items require
whitelisting?

36. wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”
SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”
$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()

38. • Create Event Consumer: performs action when
triggered by event
• Pair with Event Filter: events of interest
• Filter to Consumer Binding: bind filter to
consumer
• Export results to log file, data store
• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html