WATCH ON-DEMAND: PART 1
Windows Management Instrumentation [T1047] is an execution technique that adversaries use for lateral movement and persistence. Watch this 2-part event to learn tactics for observing and detecting WMI in your environment.
Part 1: Learn
- Get to know WMI: What it is and how adversaries use it
- Uncover high-level optics and strategies required for detection
- Test your knowledge with the interactive detection challenge
00:37 Who is Red Canary?
00:51 Panelist Introduction
01:18 Webinar Agenda
02:11 What is Windows Management Instrumentation?
02:40 How Adversaries Use WMI
04:31 “WMI is built to be a very generic and very practical assignment tool. It has access to a lot of system data, so adversaries are able to perform various types of discovery and reconnaissance through WMI, as well as hiding data and manipulating system functions and repositories.” – Jamie
06:24 [WMI] is an opportunity to hide in plain sight. The usage and abuse of adversaries of doing things with WMI isn’t necessarily going to necessarily stand out to defenders. It’s something that’s probably already native on the system…so WMI is not always going to be a flag that something bad is happening.” – Jamie
08:25 Early Malicious WMI Usage
09:35 Key WMI Research
11:17 WMI Persistence
11:23 WMI can be a stealthy, potentially fileless method of persistence in Windows.
11:48 WMI persistence relies on three components: Filter, (e.g. when this condition happens), Consumer (e.g. do this), and Binding (links Filter to Consumer).
12:12 There are two main types of consumers – ComandLineEventConsumer and ActiveScriptEventConsumer.
13:10 “You can layer these different components together – you can have them fire as often as you want or as infrequently as you want…and name them. These are all areas from a hunting perspective that you can leverage to use in an environment to baseline itself.” – Christopher
13:37 Examples of Malicious WMI Persistence
17:48 “One of my favorite things to do is frequency of occurrence analysis, so “how many systems does this run on?” and use an environment to baseline itself. An attacker may be able to profile one system, but it’s probably going to be harder for them to profile all of your systems.” – Christopher
18:25 “If you stack the name, what the filter’s looking for, and what it’s invoking, each of those things from a frequency perspective should be able to help you see the least frequent thing rise to the top, and those are the ones you can do further analysis on to see if they’re legitimate or malicious.” – Christopher
19:55 Introduction to WMI Detection Test Challenge
22:05 Questions & Answers
22:40 Question: We focused on persistence as a technique, but what should we look for as far as some other detection opportunities?
23:06 “While you may not be able to write high efficacy detection on adversaries moving laterally with WMI, a very common one you’ll see is using WMIC to run on a remote system. If you can understand where and how that’s being used legitimately and tune that out when adversaries use it, it should stand out more because it is a very common way of invoking code on a remote system by many high-skilled and low-skilled attackers.” – Christopher
24:10 “We see the majority of WMI activity in the discovery tactic, which is not something you’ll target necessarily for high efficacy detection…but it’s helpful to benchmark your environment, look at the proxy WMI processes and what processes are spawning from that. If you see something like mimikatz, it might be something indicative of adversary abuse for both local or remote execution.” – Jamie
26:09 “Monitor process creation for child processes of wmiprvse.exe, which is one of the processes related to WMI execution. Whether we’re talking about WMI persistence or lateral movement as examples, you’re always going to see child processes spawn from that wmiprvse.exe process. You will find false positives, but it doesn’t mean you can’t baseline those in your environment and attempt to find some anomalies there.” – Matt
27:28 Part 2 Preview
WATCH ON-DEMAND: PART 2
Part 2: Engage
- Dive into the detection test challenge results
- Examine and analyze the telemetry the test generated
- Explore best practices for building effective detection analytics
00:47 Panelist Introduction
01:20 Webinar Agenda
01:45 Detection Test Challenge: Question 1
Under what conditions will notepad.exe launch?
02:42 Detection Test Challenge: Question 2
Assuming the conditions are met to execute notepad.exe, will it launch as a child process of explorer.exe, svchost.exe, powershell.exe, or wmiprvse.exe?
02:53 Detection Test Challenge: Question 3
Assuming WMI persistence was successfully performed on a Windows 10 host with WMI logging enabled in Sysmon, what Sysmon events will be created to indicate that WMI persistence was performed?
03:10 Detection Test Challenge: Question 4
Assuming WMI persistence was successfully performed on a Windows 10 host with WMI logging enabled in Sysmon, what Microsoft-Windows-WMI-Activity/Operational event will be created to indicate that WMI persistence was performed?
04:21 – 07:12 Answer 1
After system startup
06:18 “How could an attacker actually come up with [query]? WMI eventing often requires creativity, and in this place there’s no straightforward WMI class that represents system startup time, so…this was a good candidate because of the SystemUpTime property.” – Matt
07:41 – 08:30 Answer 2
wmiprvse.exe
08:08 “You’ll find this very consistently whether we’re talking about WMI persistence using these techniques or in the case of lateral movement, any child process that’s created as a result of WMI will launch as a child process of wmiprvse.exe.” – Matt
08:31 – 10:00 Answer 3
Microsoft-Windows-Sysmon/Operational Event ID 19, Event ID 20, and Event ID 21
08:45 “Event ID 19 will cover the creation of the Event Filter. Event ID 20 will capture the context around the Event Consumer. And finally Event ID 21 represents the Filter to Consumer Binding. As a defender if you’re investigating this, you can correlate these names to the corresponding Consumer Event, Event ID 20, and the corresponding Filter Event, Event ID 19.” – Matt
10:01 – 11:30 Answer 4
Microsoft-Windows-WMI-Activity/Operational Event ID 5861
11:15 “The benefit you get from [Event ID 5961] is that it’s extremely resilient and it’s also built in, so it’ll be logged automatically…and there’s no configuration required.” – Matt
14:15 “[Microsoft Defender for Endpoint] is bubbling up all the suspicious events to the top, so rather than having to look through everything inside Event Viewer and trying to determine the boundaries around where the malicious activity took place, Microsoft is doing their best to try and draw those boundaries for you and guide your investigation.” – Joe
15:01 ‘See in Timeline’ View
17:18 Advanced Hunting Dashboard
17:40 Advanced Threat Hunting for WMI Baselining
17:52 “We’re using the Microsoft Defender Security Center platform to do this investigation, but these [threat hunting] concepts are going to apply to any EDR solution you’re using in your environment.” – Julie
18:26 “The question that we’re asking for baselining an environment is: what are all of the child processes of WMI related binaries in my environment, and do all those child processes make sense? Are those all things I want to be running in my environment?” – Julie
21:57 “This is a useful exercise just to ask ‘Am I aware of what’s happening in my environment? Do I approve of each of these use cases?’ This also gives you a baseline to refer back to if something ever does hit the fan and you do see persistence via WMI in your environment.” – Julie
22:43 Practical Takeaways
22:56 “WMI is a super powerful tool for attackers. There is very little that you can’t do across the kill chain or MITRE ATT&CK framework in WMI, whether its discovery, lateral movement or persistence.” – Matt
23:44 “It’s really key to understand what happened in the persistence. For example: what the EventFilter and EventConsumer consist of, but also how that was created in the first place?” – Matt
25:01 “Fortunately for defenders, [WMI persistence] is a relatively low volume event and when it does occur legitimately across your fleet, you’ll likely have the telemetry available to you to quickly triage that and determine whether or not that was expected.” – Matt
25:34 Extended Q&A
25:55 Question: Does WMI require administrative access?
26:00 It depends. If we’re talking about doing WMI tradecraft locally, you usually don’t require administrative access. There are definitely exceptions to that, and one notable one is performing WMI persistence. Where permissions really start to come into play is with remote WMI operations; in which case, by default, you would have to be in the administrators group.
29:31 Question: Will all WMI activity be shown via Sysmon logging?
29:36 No. Event ID 19, 20, and 21 only pertains to WMI permanent event subscriptions or WMI persistence. Considering the wide range of WMI tradecraft, Sysmon unfortunately is not built to detect every conceivable method of WMI tradecraft.
31:36 Question: Do these executions always spawn under the system context, or can you bind to a user account?
31:47 Those child processes, in the case of WMI persistence specifically, will always spawn under system context.
32:56 Question: Is WMI limited to what you can get if you’re not an administrator?
33:09 You can be any authenticated user to do most WMI actions.
34:23 Question: Would there be any options to log without using Sysmon?
34:28 Yes, as mentioned in the WMI activity log, there’s Event ID 5861 in Windows 10, and that is a fantastic source of logging for just WMI persistence.
40:22 Question: How would you detect custom objects in WMI?
41:22 There is no built-in logging that would surface those kinds of events, like a new WMI class being created and inserted into the WMI repository. But you can create a query to action on new WMI classes being created.
43:03 Question: What are your thoughts on the current detections available for WMI-based persistence?
43:09 The state of WMI-based persistence detection is good. In the case of Defender for Endpoint, there was an alert that was generated, and even in the case where an alert was not generated, there’s still opportunities to detect this using the telemetry at your disposal.
44:11 Question: Could there be another parent process besides wmiprvse.exe?
44:23 [scrcons.exe] would be another process that you could use in baselining to see what’s going on in your environment.
46:45 Question: Does WMIC have any different artifacts?
46:50 wmic.exe is a tool that’s used legitimately by administrators and also attackers to perform WMI tradecraft. wmic.exe is like a client executable where the server component, the components that actually do the WMI operations, execute in the context of the WMI service.
48:47 Question: Can mofcomp.exe be used to register consumers in WMI, and would Sysmon/Defender WMI event logging see that?
49:00 Yes, mofcomp.exe is an older utility that can be used to insert and instantiate permanent WMI class instances within the WMI repository. So that is one alternative that attackers have been known to use to perform WMI persistence.