In other words, we leveraged WMI to monitor itself and feed WMI-invoked process creations and persistence activity directly into the system’s Application event log. We determined that following the attacker adage of “living off the land” was what we needed to solve the problem from a defense perspective. We quickly realized that the client’s Security Operations Center (SOC) did not have the capabilities to detect this activity from both a network and endpoint perspective, so we opted to pause the red teaming activities and work with the client to identify a solution to this lack of visibility. We were recently onsite for a Red Teaming for Security Operations engagement, where our Red Team utilized WMI as a remote execution utility (similar to PsExec) and as a malware persistence mechanism (similar to a system service). In this blog post we will discuss how attackers can use WMI as a remote execution utility and as a persistence mechanism to execute malware, as well as what you can do to detect this activity at enterprise scale. Though WMI does not provide a default detailed tracing log of execution or persistence activity. From an investigative perspective, WMI has only recently been used by a select few groups of attackers and it is an artifact that may be overlooked during investigations. WMI was developed as Microsoft’s interpretation of web-based enterprise management (WBEM) for system management and auditing however, adversaries can use it for all stages of the Attack Lifecycle (shown in Figure 1), from creating the initial foothold on a system to stealing data from the environment and everything in-between.
WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle.
Create a Free Mandiant Advantage Account.
0 kommentar(er)
