1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2022
  4. Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs

Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes)

Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind.

At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks. WMI is a built-in feature designed to manage enterprise infrastructure and provide detailed diagnostics: hardware, firmware, software, and configurations both locally and remotely. WMI is deeply integrated into Windows user-mode apps and kernel drivers. WMI provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events. These features make WMI critical for solutions such as EDRs, AVs, SIEMs.

The bad news: WMI is vulnerable by design since it is leveraged for malware persistence (APT41, FIN6) and arbitrary code execution (APT29, Stuxnet). Malware countermeasures can disable WMI, making these defense solutions useless. We will provide an analysis of the WMI architecture by reversing user-mode variables and functions from DLLs to demonstrate several new user-mode attacks.

The core vulnerability of WMI is that the DLLs loaded into the WMI core process (WinMgmt), leverage "flags" to perform WMI operations. Attackers can block the access to WMI - receiving new OS events, installing new WMI filters - by modifying these flags. There are no built-in features to block these attacks or repair WMI. Our Security Sensor detects such attacks by inspecting the memory of WMI core service and can disclose other attacks on Windows OS components including privilege escalation, token hijacking, and ETW blinding. These attacks impact all versions of Windows, which is crucial for the design of the core features of WMI.


Presenters:

  • Igor Korkin - Security Researcher, Binarly
    Igor Korkin, PhD is a security researcher from Moscow, Russia. He has been in cybersecurity for about 10 years working on various areas related to Windows OS kernel security and hypervisor-based protection. He enjoys applying both academic knowledge and practical expertise to make computer systems secure and reliable. In his thesis, he carried out cross-disciplinary research to detect hidden hardware-based hypervisors. He is keen on responding to real-world challenges. He has to his credit over 30 research papers along with one patent. His research results were presented at Black Hat 2021 (UK), Texas Cyber Summit 2021 (USA), IEEE SP SADFE 2021 (USA), HITB 2020 (Singapore), Black Hat 2018 (UK), REcon 2016 (Canada), six ADFSL conferences 2014-2019 (USA), and RusCrypto 2011 (Russia).
  • Andrey Golchikov - Research Fellow, Binarly
    Andrey Golchikov is a guru of Windows Internals and Windows Security Research. He has been in operating system security for over 20 years. He developed Yandex Web Antivirus for 11 years. Andrey has produced a huge amount of cutting-edge research and shared it in his blog - http://redplait.blogspot.com.
  • Claudiu Teodorescu - Chief Technology Officer, Binarly
    Claudiu Teodorescu is a Researcher at Binarly with an extensive background in Computer Forensics, Cryptography, Reverse Engineering, and Program Analysis. While at Cylance, he focused on program analysis to augment the ML model feature space with code-specific artifacts. Prior to Cylance, Claudiu worked for FireEye, in the FLARE (FireEye Labs Advanced Reverse Engineering) team as a Sr. Reverse Engineer, leading research projects such as WMI and Application Compatibility based malware persistence, Windows 10 RAM page compression, and also serving as an instructor of FLARE's Advanced Malware Analysis course (Black Hat USA 2015, 2016). Prior to FireEye, he worked for Guidance Software as Principal Developer/Manager writing forensic parsers for different file formats, mail containers, and integrations with different disk/volume/file-based encryption products to support the EnCase tool. Claudiu is the author of the WMI-parser tool to help IR teams forensically identify malware persistence.

Links:

Similar Presentations: