Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asynchronous, and Fileless Backdoor

Presented at Black Hat USA 2015, Aug. 5, 2015, 4:20 p.m. (50 minutes)

Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI).

With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events.

This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.

Presenters:

• Matt Graeber   as Matthew Graeber
  Matt Graeber is a Staff Reverse Engineer at FireEye with a varied background in reverse engineering, red teaming, and offensive tool development. Since joining FireEye, Matt has reversed a vast quantity of targeted and commodity malware samples and served as an instructor of Mandiant's Advanced Malware Analysis course. In his spare time, he develops an offensive and reverse engineering framework for PowerShell:PowerSploit and PowerShellArsenal, respectively. He has also been designated a Microsoft 'Most Valuable Professional' (MVP) in PowerShell. Matt regularly advocates a minimalist approach to offensive security that relies primarily upon using the built-in tools already present in a target environment.

Links:

• https://www.blackhat.com/us-15/briefings.html#abusing-windows-management-instrumentation-wmi-to-build-a-persistent-asynchronous-and-fileless-backdoor
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Abusing Windows Management Instrumentation WMI To Build A Persistent, Asyn.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Abusing Windows Management Instrumentation WMI To Build A Persistent, Asyn.mp4
• https://www.youtube.com/watch?v=0SjMgnGwpq8
• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-wp.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent Asynchronous-And-Fileless-Backdoor-WMIBackdoor.ps1

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Detecting WMI exploitation
• Black Hat USA 2022 / Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
• BSidesLV 2015 / WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis