• Quick Background

• Malicious Possibilities
• Real-World Examples
• Detection & Defense
• Joe Slowik, Adversary Hunter
• Current: Dragos Adversary Hunter
• Previous:
• Los Alamos National Lab: IR Lead
• US Navy: Information Warfare Officer
• University of Chicago: Philosophy Drop-Out
• Scripting and interactive language
• Introduced in 2006, integral to Win7+
since 2009
• Full access to COM & WMI for system
administration
• WMI = Windows Management
Instrumentation
• Interactive and scriptable framework
for local and remote administration
• Frequently accessed via PowerShell
http://oversitesentry.com/wp-content/uploads/2015/08/wmiarchitecture.png
http://kevinpelgrims.com/blog/files/images/2010/02/powershell_rsm.png
http://www.opentechguides.com/how-to/article/powershell/132/get-
system-info-remotely.html
https://4sysops.com/wp-content/uploads/2013/03/WBEMTest-Translate-into-PowerShell.png
 • PowerShell is a powerful,
useful tool for network
administration
• Widely used in Windows
Enterprise environments
http://www.freeiconspng.co
m/img/17209
• WMI enables significant access to
review and modify system data
• Access via PowerShell allows for
scripting and automated possibilities
• PowerShell’s ubiquity adds a significant
capability to potential attacker
• Enhances ability to ‘live off the land’
• Expands initial infection vectors
Command Use
-EncodedCommand Accepts Base64-encoded input for
execution within PowerShell
(New-Object Download a file from a remote location;
System.New.Webclient).DownloadFile() can be piped to Start-Process to execute
-ExecutionPolicy Bypass Circumvent system limits on script
execution
-WindowStyle Hidden Hide the command window from the user
-Invoke-Expression Execute arbitrary code or commands
 VBA

Startup
VBS
.lnk
Delivery
Vectors

Registry BAT

JS
https://adsecurity.org/wp-content/uploads/2016/02/PowerShell-Detection-NetWebClientDownload.jpg
• WMI is also ubiquitous, potent ‘dual-use’
• Can enable:
• Complex exploitation, persistence of
infected host
• New vectors to pivot within network
• PsExec-like remote execution
• Malicious file/script storage
• Persistence when combined with file or
registry activity
• Pentesting frameworks
• Crimeware/Commodity malware
• APT
• Malicious VBA decodes to PowerShell
• Retrieves, then executes ransomware
payload
• WMI filter retrieved on schedule
• Returns base64-encoded PowerShell
• PowerShell re-launches backdoor

https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.carbonblack.com/wp-content/uploads/2015/12/PS7.png
 • Command
execution
CMD • Execution
Parameters

• Interactive and
Scripts
PowerShell • Flags, Modifiers,
full Visibility

• Log Events
• Correlate
WMI with Other
Activity
Download Process
Upload Execution

What is
required to
achieve
‘bad’?

Encode
Decode Persistence
• Sysinternals Sysmon
• Windows Loggging Service (WLS)
• WMI Logging via WMI Subscription
• PowerShell Logging
• Proprietary Host-based Security
• WLS incorporates PowerShell logging natively
• Otherwise:
• Windows 7+
• Powershell 5.0+
• Enable logging!
• See:
• https://www.fireeye.com/blog/threat-
research/2016/02/greater_visibilityt.html
• Sysinternals Sysmon – latest version
includes WMI visibility
• But logging/alerting will need to be
tuned
• DIY via WMI Subscription creation
• Otherwise – commercial products
Establish Baseline Identify
Visibility ‘Normal’ Malicious

Create Alerts Develop

& Alarms Response
• What PowerShell/WMI scripts are used
in ‘normal’ network administration?
• What commands never have legitimate
use?
• What – if any – items require
whitelisting?
wmic /node:REMOTESYSTEM process call create “EVIL_COMMAND”

SELECT * FROM Win32_BIOS WHERE SerialNumber LIKE “%VMware%”

$BADTHING=New-ObjectManagement.ManagementClass($REMOTESYSTEM,
[String]::Empty,$null)
$BADTHING[‘__CLASS’]=’Evil_Malware’
$BADTHING.Properties.Add(‘SomethingEvil’,[Management.CimType]
::String,$False)
$BADTHING.Properties[‘SomethingEvil’].Value =$PAYLOAD
$EvilClass.Put()
• Create Event Consumer: performs action when
triggered by event
• Pair with Event Filter: events of interest
• Filter to Consumer Binding: bind filter to
consumer
• Export results to log file, data store
• Credit: https://www.fireeye.com/blog/threat-
research/2016/08/wmi_vs_wmi_monitor.html