BG - WhyMI So Sexy? WMI attacks, Realtime Defense & Advanced Forensic Analysis - William Ballenthin,

e

[Music]

[Music] Che sure my name is Willie balentin are you able to hear me check check sure no problem morning everyone my name is Willie Balentine can you hear me doesn't sound like it all right so che check check hey [Music] hey yeah sure yeah I'll keep talking loudly and hope that everyone can understand

me I'm glad that everyone showed up this morning bright and early didn't have too late of a night last night La one is kind of low too that's what I'm on or that it both both were hey hey test test that's fine okay a little bit lower sweet thank and let's see mine oh mine I think is good is good all right all right thank you everybody for showing up uh we have today since we're late I'm just going to run right into it uh the uh excuse me uh Cloud the firey Labs Advanced reverse engineering flare team here to talk to you and uh I will let them go thanks sure well thanks for

having us and I'm glad everyone showed up like I said bright and early for us uh we are really excited to actually get this conversation started this presentation started and I say started because the three of us have been working on this topic for the past few months and I'll tell you we have a lot to cover so we'll do the best we can to cover in these slides here and then we look forward to continuing the conversation with you afterwards because we have so much more we're not even going to get to so if you find yourself using any of the things that we talk about here in the presentation or you used it before or

you're thinking about in the future uh definitely looking forward to uh continuing that conversation so we're here today to talk about wmi Windows management instrumentation uh which is a really need framework have people heard of wmi before is that why you're here in this talk awesome I'm glad you're here then um so it's super powerful great framework for configuring systems and inspecting them and because it's so powerful for administrators and system uh assis admins we found it's actually just as powerful for attackers and this isn't strictly a theoretical thing at fire ey we have seen attackers using Wii more and more and they're using it in very very clever ways and as Defenders people who come in and investigate these

attacks we realize that there's basically no way to investigate wmi persistence and payloads and lateral movement at this point in time sometimes you get lucky with network monitoring and sometimes you can get hints here and there but realize this there there's no methodology in place so our presentation here today is to talk about these attacks talk about how you might investigate them and also for the first time in this kind of public release talk about how you can actually perform forensics on the wimi repository database um and really turn it into a a good situation so Matt here's is going to bring us through a an initial kind of case study that'll we'll work through

all right so consider the following attack all right this is just the proof concept uh I developed a really kind of primitive crappy um uh remote credit card or uh track data scraper all right where uh you install this payload remotely using wmi on the victim machine uh given that you have uh credentials on the victim system and we will see the following okay okay so I am about to provide credentials on my attacker machine all right I'm installing the persistent uh credit card scraper all right and what I'm doing is I'm storing the payload in the uh wmi repository in a persistent fashion um the payload that's going to execute is Upon triggering Our fictitious uh payment

processor. exi this payload is going to fire so wmi is an inherently asynchronous technology that responds to events and when those events trigger there's a payload that's that's executed so we'll see what that is okay we're storing it persistently and the outload or sorry the output of the scraped uh credit card track data is going to be stored uh persistently in the WB repository so here is is our fictitious Powershell payment processor. where I'm putting in some uh fake uh track data okay so payment processor. exe launched uh as soon as it was closed uh well the payload was scraping it while uh the executable was running and now we can pull back the uh parse credit card

information remotely okay and in fact I'm pulling it back as uh a serialized Powershell object um so you probably just saw what was output was like the fully parsed uh track data that was collected remotely pulled back using nothing but wmi as one a persistence mechanism and two a pure uh wmi command and control uh Channel and this is not just a theoretical demo we have seen attackers do this and you go in and investigate it there's no files to look at there's no registry keys to look at you're out of luck at this point basically so let's dig into uh what we can do about this and I'm sorry I'm not going to be

providing the code for that credit card scraper there's no legit no legitimate use for that I'll be releasing a back door later at black hat though so keep an eye out for that all right so real fast I know we let's do introductions my name is Willie Balentine I work on the fire ey lab's flare team I'm a reverse engineer and prior to that I did a lot of incident response doing forensic analysis and triage analysis I'm Matt I'm a reverser on the firey flare team um the speaker uh black hat trainer along with uh claudo um and I'm a huge Powershell Fanboy uh some of you may may have heard of uh Power exploits uh one of the more like

recent Powershell projects that I've done uh considering like I do reversing full-time is called Powershell Arsenal so it's just like a little Powershell module that helps you with some limited uh case studies and reverse engineering um if you're a Powershell Fanboy like me my name is cloud tesu that I don't have a middle name I I didn't even review the slides or I don't know what's that in the middle but I think it's English pronunciation of my last name I guess but anyway so I'm a I'm a reverse engineer at the flare team uh I did forensic for a long time for almost 10 years writing uh a lot of parsers for INE I'm a crypto analyst as

well and U I wanted to play play soccer but my my parents sent me to school so but I still had the passion for it so what we're going to talk today we'll talk about the background motivation and some examples of attacks the W architecture the query language used by wmi which is wql we look into Eventing next uh also we have a timeline of a bridge history a timeline of the W attacks uh dive a little bit into the providers

sorry and then uh we talk a little bit about the format of the database uh investigation uh real time defense and mitigations we did a lot of forensic work on the wmi so we'll present uh a brief uh introduction to it and white paper we'll have the details of uh of the forensics of the wmi repository then we have a mock investig ation of the credit card scraper that Matt presented and then we'll present some attack detection that uh will help us mitigate the risks so who wants to try to see us do this in 40 minutes we're going to try all right so let's talk about the basics I know most of you are already

familiar with wmi um system administrators have been familiar with this like from day one right it's a really powerful system administration utility that allows you to uh pull back either locally or remotely all kinds of uh really valuable information right so you could enumerate running processes uh enumerate um Services pullback registry keys right to the registry um wmi also enables you to subscribe to events so this is one of the most powerful features in my opinion of of wmi that attackers have been using heavily and as I'll show later on can be used just as effectively as a Defender to detect attacker activity in real time all right so wmi has been around forever like literally uh the service has been

running since Windows 98 and nt4 okay so all of the attacks and defenses that we're going to be talking about today this applies going back to these systems so I'm sure some some of you have seen the occasion uh like N4 system like sitting like just sitting in the corner somewhere that no one has any idea even exists while it's listening on the wmi service um so if you were able to obtain credentials to it then you can Pur your payload on there uh perform all kinds of Recon really like any stage of the attack uh post exploitation you have wmi to carry out every phas okay there's a bunch of different ways to interact with wmi my favorite um

and it's definitely the best by far that's independent of me being a huge Powershell Fanboy is Powershell all right need I say more um but I I wouldn't be doing it justice if I didn't explain a little bit more so uh right out of the box in Powershell we're looking at this is uh uh Powershell 3 uh it comes with a bunch of built-in commandlets so uh commandlet is just like a little a little function basically think of it like a python function right right if you're not familiar with Powershell um going back all the way to V1 of Powershell you have all of these uh wmi commandlets okay uh and starting with version three you have

all these Sim commandlets uh really the the only difference is the Sim commandlets provide a little bit more flexibility um over the wmi ones um primarily that the fact that they can speak two different protocols um so the Legacy protocol which the wmi command talk uh dcom so Port 135 and then an additional like randomly assigned Port uh they all talk those but the Sim commets also talk uh winrm which is like the uh Microsoft officially sanctioned like remote Administration protocol um that's listening on default now like as of like Server 2012 R2 and above I I I believe okay uh also worth noting uh there there's a bunch of additional utilities that you can use to interact with wmi

I'm sure many of you are already familiar with the command line interface W wmic.exe yeah so that's really powerful it does have some some limitations um but um yeah really like Powershell extends all of that and uh by nature of Powershell being Powershell everything is an object versus like your traditional command line utility where all the output is text okay I I love objects and the fact that you can pipe objects to other objects power shells amazing um some other utilities uh one of the Lesser known ones is if uh like the poell remoting uh or winrm service I kind of use those interchangeably are listening you can use uh win rm. exi to enumerate Powershell objects invoke or

sorry uh enumerate wmi objects um invoke wmi methods remotely um so many of the same features that like you may be accustomed to in whim. exi you can also do in winrm if uh if that service is is up and running so it's it's just an alternative um also another one you may not be familiar with is wbm test.exe so it's this like horribly shitty uh goo like gooey client application for wmi it's actually really powerful though so uh if you run into a situation where like you're dealing with like app wh listing and say like whim. exi or powershell.exe or block uh look for wbm test. exi U maybe maybe have permission to to execute that and like enumerate my

objects execute methods and whatnot um there's some additional utilities like uh uh Sim Microsoft Sim studio is useful useful for researchers um that are interested in like uh viewing the wmi repository looking inspecting all the classes name space name spaces and stuff so we've used that heavily uh uh in in this research all right one of the primary means by which you interface with wmi is via uh wmi query language so this is a very simple SQL like syntax that allows you to um one enumerate W objects and two uh subscribe to events so the syntax is only slightly different depending upon what you do all right there's three main classes of queries instance queries

where we're after the uh wmi class instances event queries we want to subscribe to some event either locally or in a uh permanent like persistent fashion and meta queries um for those who are interested in um uh discovering what wmi classes are available all right so here's a sample instance query you see the syntax uh up above so uh this is a really simple one so select star return all properties of all instances of the win32 process object all right so the this is the kind of syntax you would use to just enumerate running processes uh where the name of the process is like Chrome Okay so just give me all process all all Chrome processes okay instance queries

are pretty simple all right uh event queries are a little more complex um there's you know a little bit more of a learning curve here um I'll touch on this briefly a little bit later the difference between intrinsic and extrinsic events um but let me just go over these uh examples here so the first one um select all instance creation events so this is a very generic event that's going to fire all the time so we have to constrain it a little bit uh instance creation event fires upon creation of literally any wmi class instance all right uh within 15 seconds so we're going to um like set a polling interval there where the target instance

happens to be a win32 log on session uh class instance right where Target instance. logon type equals two if you were to just look this up in msdn you would see that this is uh this would trigger upon uh interactive log on all right select star from win32 volume change event this is a um type of extrinsic event that fires immediately so you don't have to specify uh that polling interval where event type equals two okay so this would refer to a user inserting removable media into the system so from a defensive and offensive perspective you know start thinking about some of the implications of this here all right select star from registry key change event where Hive equals HK L

current version run okay I think that's kind of self-explanatory all right Eventing this is to me the killer feature of wmi all right so there's three requirements in order to set up a uh either like local or we specifically here a permanent wmi event all right this persists across reboots um there's nothing present on disk except in objects. dat which these guys will cover shortly uh you need a filter which is that event query that we just covered okay a consumer upon triggering that event what do you want to do what payload would you like to execute um there's five different classes of these payloads or consumers that I'll show you in the next slide and then The Binding

this is the registration mechanism for binding the filter and consumer together so the event and the payload that you want to execute this binds them together so this can be done both locally and remotely all right oh and permanent wmi events yes they they all run uh in the system context pretty cool all right two types of events intrinsic um in wmi you have a bunch of name spaces all right and there are classes um hierarch hierarchically organized within each one of those name spaces um within each Wy name space you have a bunch of these types of events so I showed you before there's the uh like instance creation event so any object that is instantiated within that

namespace that event is going to fire okay if a namespace happens to be created namespace creation event is going to fire uh if a uh wmi class is created on the fly as has been done by a particular threat group called apt29 you would see that a class creation event would have fired all right extrinsic events these are special types of events that I mentioned before the these fire immediately all right so they're kind of like specialized uh very high performance um classes there aren't that many of them um so here's some example ones that you may find as an attacker or a Defender to be of interest all right computer shutdown event maybe do

something upon someone shutting down the computer um process start Trace all right so maybe you could Implement a kind of cool U like do some process uh like command line auditing using that type of event module load Trace anytime any exe dll so system driver is ever loaded uh this event will fire volume change event insertion of removable media kind of cool uh registry key change event value change events um just really start thinking about the the implications of these and just how how powerful uh the these things are all right the consumers you fired an event and you want to execute something okay there are five standard event consumers provided by Microsoft log file event

consumer okay and event triggers you want to capture that data and append to a log file pretty straightforward active script event consumer tackers love this this allows you to embed any Windows script host script I.E VB script or J script uh into your permanent wmi events okay so you're not dropping any script or binary to disk this is all inline stored in the Sim repository so a single file which AV cannot touch okay uh and an event log consumer kind of like a log file event consumer create an event log entry and then as a Defender hopefully you're taking those event log entries and forwarding them to a centralized server that's a smart thing to do SMTP

send an email okay uh command line event consumer also obviously very popular amongst attackers all right execute any arbitrary uh command line executable upon an event triggering powershell.exe Dash encoded command uh you know um uh create like a web client and then download some like Powershell text that and then call invoke expression on that right so you got like you you have like your little like oneliner Powershell command Stager execute upon uh firing one of these events all right so permanent wmi events again you need those three requirements you have to create instances of each of these objects the filter I.E your query the consumer what you want to execute and then the bind together filter to

Consumer binding all right let's let's look at some uh some possible attacks here um let's let's go back in history a little bit though so um as far as I know uh wmi attacks publicly go back to 2010 with uh stuck net so what stuck net did was um one of the many exploits included in this uh uh package was it exploited the uh windows princip or vulnerability I think this was like ms10 051 um where basically it enabled the attacker to that this was like an arbitrary file right vulnerability right so uh imagine on a Windows system if you could drop any file anywhere on the file system what would you do to gain code

execution so these attackers were pretty smart and they thought to drop a moth file so uh and in this moth file it consisted of uh instance creations of those event filters consumers and that filter to Consumer binding okay so you you drop this file into a particular directory and then U mooff compx um would come around at a regular interval and consume any new Mo files in this directory and uh so it would eat that up and then it would um that text file would automatically be persisted in in the database so it by nature of being a permanent wmi event consumer uh or subscription would execute the the malicious payload in the system context

so uh Stu that they use this as a uh privilege escalation vulnerability Microsoft patched that so um that like Watchdog like moff comp. exi uh can no longer just eat up random Mo files that are dropped you have to explicitly compile your Mo files uh now at this point um there's a ghost payload I believe this was some commodity M that came out in 2010 um it used it it used permanent wmi events um as a means to um exfiltrate any uh newly created or modified documents within the the us like my documents folder all right uh there's a really cool tool released recently by a French researcher his name is escaping me I'm sorry um called wmi

shell this was the first uh case that I saw where wmi was used as a pure C2 channel so what he did was um he used both he created and modified wmi namespaces dynamically and since you can do everything remotely in wmi so like you can create wmi namespaces and then say like uh as the as the name of your namespace it would be say like an encoded Powershell Command right and then you could use like the win32 process create method to pull that down um on the local system decode it and execute it so this this thing was pretty cool uh and then there's apt29 um uh fire I just released the white paper about some of their ttps uh

it doesn't actually cover any of the wmi stuff though so uh they use some pretty cool like net stuff um and like they use like Twitter as a command and control uh server but what they don't cover is all the wmi techniques so they were using permanent wmi subscriptions in addition to um so kind of like wmi shell instead of using namespaces they were creating wmi classes on the Fly remotely and so you you can create a class and create a class property and then within that property stuff your payload all right and then execute that payload remotely using the 132 process class um store the result of that payload into another property class so this is

exactly what I was doing in that um credit card uh scraper demo uh the ttps that apt29 were using so very novel unique techniques that they were using cool stuff um so um we know going back to 2010 uh we have an instance of these attacks um you know for all we know you know some nation state could have been using this you know since the Advent of Windows 98 or nt4 um I have no idea okay so wmi can be used to uh like in in any portion of the attack life cycle so um remember you can do everything remotely with wmi with proper credentials so reconnaissance um you can do VM sandbox detection uh code

execution lateral movement persistence data storage like what apt29 was doing um or C2 communication um like what apt29 or like W uh wmi shell was doing like using wmi as a pure C2 Channel all right so if you were to go about uh doing some Recon activities with just wmi here are some of the classes that uh you should maybe be interested in all right we can do file directory listings by enumerating Sim data file instances 132 volume all right um STD reg Prov this is what allows us to perform registry operations read from any registry um key or value write to them okay so you could use that as a persistance mechanism too like write

powershell.exe D encoded command to the Run key yeah okay service listing event logs um loged on accounts uh installed patches AV um this is just a very small sampling of what might be valuable to an attacker uh when performing Recon all right code execution lateral movement I I love this stuff uh attackers have been doing this for a while um you you have probably done this like using uh like whim. exi by calling the uh static create method in the win32 process class yeah so here I'm just uh doing it in Powershell instead using invoke wmi Method All right so I provide the computer name or or host name and then the credentials it'll pop up and uh let

me type in the the password and then in the argument list is what I want to actually execute so just imagine uh replacing notepad.exe with uh like powershell.exe encoded command Okay so remote code execution it's awesome okay again just a refresher this is what we need for permanent wmi uh subscriptions IE persistence using wmi so here's a practical example of where this was used in um uh SE Daddy I think like that that's the mandiant uh family name I think this was like referred to as like uh seuk seke yeah seuke um so Cuke was uh well one component was a like pure python back door and then within that python back door um the means by which they

persisted was uh they ran basically the the following uh Powershell code by calling Powershell uh. exy with following payload so the query here is uh wi attacker basically ripped right out of uh my power exploit precisions module um this like super shitty uh query where it's just going to trigger like shortly after system startup all right so what's it going to execute upon triggering that after startup um just just here down uh towards the bottom the Wy event consumer it's command line event consumer what are we going to execute an executable that was previously dropped by the the python back door or I I think this was the actual python back door itself um that

was executed uh after system start up all right so kind of a crude like persistance mechanism I don't really think this is that stealthy I mean it it relies upon a binary to be dropped like uh if it was me I would remain like super stealthy and not drop a single binary or script to dis because wmi enables you to do just that all right so data storage I already talked about this this is what apt29 was doing here's a very simple example of how you would go about doing that in Powershell just remotely okay there's just a a few additional net classes that you would have to use in order to take this code and uh be able to um store

arbitrary data remotely on a system by creating these um these wmi classes all right providers Willie yeah so I got to admit when I started looking into wmi uh I was I was pretty impressed with its architecture um I I came in expecting from a Linux background that's going to be this huge monolithic like service with a bunch of components and I wasn't going to be able to play with it well that's not actually the case wmi is is kind of architected in a very nice way it's really just a framework and the core part of wmi is very small and it delegates a lot of the responsibility for creating the these instances of classes and the types of things you can

query uh to Providers okay and a provider is a thing that defines what you can query for and when you ask for a query what data you get back okay and Microsoft ships with a default set of providers and those are the things that uh Matt's describing in the past couple minutes um but of course we can continue to extend and provide our own providers so when you when you get a new Lenova laptop for instance and you go in and enumerate all your providers and the things that are exposed via wmi you see Leno actually developed additional code that allows them to kind of remotely inspect your system I'm not saying they do but an administrator could go in and

say how's the system looking how does the BIOS how's that set up all right so this is a very extensible format let's modify the BIOS too remotely yeah don't want to get into that here but you know putting my attacker hat on or my Defender hat I'm starting to think like what else could I maybe expose through wmi these are again wmi you can control remotely you know what could we do by adding additional providers additional data that we could collect from the system I think Matt you found some of those things yeah so uh like we we had like a Skype chat where we would coordinate our research and uh Willie brought up a long time ago like

hey wouldn't it be cool if uh maybe an attacker decided to extend wmi by creating their own malicious provider right so like an example of a legitimate one like take win32 process right so there's a dll that um actually uh in like populates instances of uh running processes via uh this win32 process object right well as an attacker right you you can well in wmi you can create class instances you can also execute methods right so uh this recently went from Theory to reality when I reached out to some buddies uh Casey Smith sitting here uh is Jared here yeah lame all right so I basically uh provided them what my requirements would be as uh as an attacker like hey I

would love to see a uh a malicious wmi provider well Casey like banged it out in one night and I was just blown away so what he did was he created a malicious wmi provider uh in the form of a net dll and the way you you would go about installing that is like you just call installutil.exe provide the path to that U provider and now you have these magic uh malicious wimi classes that didn't exist before so what he implemented was a a Shell Code Runner right so a Shell Code Runner that happens to run in the system context like that's pretty awesome so uh with this installed locally like you could execute your shell code payload locally

but you could also do so remotely all right so here's how you might go about doing it call invoke wmi method uh the class name he called it w32 evil uh exact shell code is the name of the method and then you just provide your shell code bite array and then you could uh appan like the D uh- computer name uh and- credential and do all of this remotely okay Jared did uh something very similar um he's more like defensively minded in general so like when he set out to do this he wanted to be able to enumerate all Active network connections because uh you can't do that in like Windows 7 and below in Windows 8

and above you do have classes that enable you to do that um but he wanted to be able to do this for uh any arbitrary operating system right so he created that class so that's pretty cool um but he also kind of slipped in there the uh run PS uh method which allows you to execute just arbitrary an arbitrary Powershell uh script in the system context and so uh I believe the way he implemented it like it wouldn't even call powershell.exe all right that's cool yeah so so I hope we motivated you at this point of thinking like hey this this wmi thing is pretty cool like we have a lot of capabilities we have a lot

of ways to stay under the radar and as a defender in I'm thinking I'm like man this this kind of sucks like I have nothing that I can do to detect this and find it and do forensics so let me talk about precisely how we came about this in the past six months or a year I've worked a couple larger engagements we're talking 10,000 hosts 100,000 hosts and we're seeing this group we kind of call A pt29 and they come in and it's been really exciting because this is probably my favorite threat group that I've worked with recently because they're really good at what they do and they develop new techniques rapidly and they deploy them

and they almost like test in production you know they just throw things out there and they're like hey maybe it's going to work and so one of their their kind of interesting attributes is that they seem to know a lot about forensics they know what the Defenders do and they actually do a little bit of targeting of Defenders to kind of figure out how they're being detected on Network and so when we go in and actually work with clients that are targeted by this threat group you know we're kind of in an arms race with them sometimes we can get them out right away and they come back in or sometimes we chase them around and as we

do that and they realize that they're getting kicked out they deployed newer and newer techniques and so very quickly within the first couple weeks of us doing some of our investigations they started deploying things that we had never seen before and one of those things is a lot of these kind of wmi uh Ninja tactics all right and we realized as we're doing this like there is not much out there it's very difficult to do forensic on these boxes now we got really lucky because we had really good Network visibility and host based visibility we could basically watch all the commands they were running and figure out all this stuff but what worries me is what about those clients

that we're working for where we don't have that visibility you know there there's really no chance that we had to actually identify this and so that that got us really worried so in these CLI s you know we're kind of thinking about what can we do right now to actually investigate a system to do forensics on it well naturally we can use W wmi to inspect itself and I think at this point you can kind of see how that would be done we could write some WQ wql queries that inspects itself and like gives you all those persistence items for instance but that makes me kind of worried as the defender there we already know these

threat groups that we're going up to are fairly Advanced they're using new techniques and they have rootkits they have other really advant pieces of malware I'm thinking if I'm using the running system to inspect itself there's no way I can really trust those those results I might get lucky maybe maybe it's truth maybe it's not truth and I would never know all right another thing another issue with that is I have to have the system live and running on the network and me have credentials on it sometimes all I get is a forensic image and then I don't have a running system and I can't use wmi to query a dead box so for a long time more than a year

actually our best recommendation to our forensic investigator was to run strings on this one file and guess at what that meant and it was like that is not forensics that's not going to hold up in court and sometimes we get lucky and we can guess at what it means but it it's not forensics and the final technique that we found kind of worked was to basically build this Frankenstein system where we could copy over the Sim repository from a a dead box to Al live box and then cause the system to reest the file and like it sort of worked but I had no idea what the system was doing doing was it performing Auto Recovery was it cleaning

up things that weren't supposed to be there I couldn't tell you so even though I could get some data out of it I didn't know why I was seeing that data and so as a reverse engineer as a as a forensic analyst I was not happy with the technique so naturally we went ahead and we said well what can we do to reverse engineer this is there a way that we can do real forensics on the on the artifacts so we took a look at the the files in the file system that are related to wmi and specifically the uh the Sim Repository all right recall our wmi providers uh Define what data can be

exposed and queried through wmi all right and this is all organized within this Sim repository this is the common information model which again defines basically the scheme of what's going on and anything that's been persisted on the system so like those persistence techniques and the filter to Consumer Bindings that we talked about a minute ago those are stored in this Sim repository has anyone doing for before seen this objects. dat file maybe I had definitely seen it while doing forensics if you do a string search for your malware binaries sometimes you find entries in this file and then you go to look at it and it's this weird structure it's not a known database format and so

you know that there's something good in there but you don't know what to do with it in the same directory there's this index. BTR file which has a bunch of crazy hash looking like strings that look kind of like hashes but no kind of uh useful data to the human eye and then there's a couple other files there and they're all kind of related but we really didn't know what was going on so we spent some time reverse engineering this we're a team of reverse Engineers so we basically pulled out our hex editors we looked at dumps of the database we actually did not do any static analysis of the services we did not debug the system we just looked at

these data these hex stumps of the file formats we said hey that looks kind of like a string and this field over here that kind of looks like a pointer to this string from the start of the record and then within that hey that that kind of looks like a set of flags and so by doing a little bit of differential analysis and a lot of late nights in front of the the hex editors we're able to basically completely reverse engineer the database format there's I think a total of like four bytes in the entire database that we don't know what it means this is really good what this means that is that we can do forensics

on these wmi databases offline on any operating system we can do it a Windows Linux Mac OSX we have that ability now so this is really good news so let's talk a little bit about that Claudia so yeah I'll be brief on this all the details are in the W pipe uh wmi white paper is an easy read couple close to 100 Pages it's coming out later today on on the FL website the fire so the diagram shows the uh files the repo consists of and their collaboration and relationship so we have the index BTR which is um which is um a B3 on disk it's paged the page size is 200 hexes and uh everything in the in the

index BTR is uh any page in the index BTR is uh represented by by a logical page number a logical page number is translated into to um um into a physical page number using the corresponding mapping in the mapping map file uh here is you on the the actual information about the object it's found in the objects. data here is an example of an evil consumer uh the the NS underscore and then the ID that's the ID of the namespace uh the next ID prefixed by ccore is the um represent is the presentation of the class of the instance and then the I I underscore and then the identifier follows is the uh identifier for the uh consumer uh there

are three uh integers following uh first integer is um is an um It's The Logical page number for the record containing the data for the instance uh that's logical and you have to go to to the mapping to the corresponding uh mapping data for the objects. data to get the physical offset uh use the second ident integer to um identify the metadata for that record in that metadata you have the index inside the page uh of the record and the size you use the physical page multiply by the um page size which is again 200 hex 2,000 hexa and add the index in page and you get to the offset of the of the in of the record

containing the instance data here is a representation of a page in the B3 it's very powerful and um uh details are in the white paper uh that that's kind of yep what we cover in the forensic yeah the takeway there I mean that that was a crazy diagram it's like a rainbow wasn't it did anyone understand it at that point I mean there good hackers in here right if you didn't understand it not a big deal like we said we're releasing a white paper this afternoon it's nearly 100 pages long at this point where we're diving into deep detail about how to do this parsing what it means from a defensive and offensive perspective and and all those details

that you need so if you feel like we were a little short on this stuff take a look at that paper and then come back to us and let us know what you think about it so naturally we figured out what the database structure was we want to share that knowledge and actually build tools that allow us to work with these files and so that's what I want talk about here we're also releasing those today I pushed on this my code this morning claudo also pushed his code this morning we now have forensic parsers for these Sim repositories okay they're on GitHub I personally wrote this python Sim module it's a pure python script uh

a few thousand lines long that implements the database driver that allows you to query the system okay anything that's in that database you can now work with it's very easy to use it's I don't know I think it's very easy how do I do the demo next slide yeah I'll start it for you all right so let's see oh how can I pa it all right than it is a library the library is quick to use Simple to use but naturally that's not great for demos so I built a nice little gooey for it let me walk you through it real quick and it's going it's going all right couple uh different tabs there we

can explore the the physical structures of the datab base but if you don't know what that means don't worry about it because we can also explore the logical pieces of data in the Sim repository here we're exploring some of those Nam spaces root Sim V2 default Nam space used by um wmi additional name spaces like down here root subscription is where you would find those filter to Consumer bindings okay so we can explore them see the data that's there these are all those things that you could use wmi to inspect itself but we're doing this offline we're looking at the Sim repository pulled from the system that Matt showed at the very beginning here's a class definition of the filter to

Consumer binding all right this allows us to understand what kind of data is in that class what kind of data uh is stored and what we find is some additional time stamps that are not exposed by wmi that you can use as a Defender to understand what was going on in a box you can timeline this stuff down at the bottom here we're seeing all the different properties and Fields within this specific class and as expected there's a filter there's a consumer and this is the binding between the two there's additional kind of deep detail here if you're interested in it that allows us that we're able to parse out uh but all the basic features are there one of the

the cool things about this tool here is that it also shows you how it's parsing out all these forensic details so here we have a pretty standard hex view there we can scroll up and down select data but additionally we're able to explore how this data is being parsed so for instance there's the header at the top there we can dig into the header we can look at where is the name of my class where are these time stamps how is the tool actually getting to this data and so we're able to uh basically confirm what we what the tool is telling us manually so if there's any ever anything that doesn't make sense to you

you can always double check it right in line on the tool there that's pretty powerful all right so we took a look at the these this is the class definition this is the type of data that you can query or might be on the system the next thing we should probably do is take a look at the uh the specific instances of this filter to Consumer binding the things that are installed for persistence on the specific system so that's install these visible in line here in this preview we we see that there's three of them installed all right and we can look at the concrete values that are stored in each one of those instances so this is another

filter to Consumer binding two time stamps here we conjecture this is uh creation and modification date for the specific instance we see what the two thing one what the trigger is and two what the payload is that's going to execute these are references to additional data that we want to take a look at similarly we can uh explore how the tool is extracting this data I'm going to all right so that tool is really neat it allows you to kind of intuitively explore the data um and it's it's very easy to use it works cross platform you saw me using it on Windows there clo is going to take a minute or two to talk

about his tool which is written in C it's very fast and if you don't know too much about wmi if we didn't do a quite good enough job in our presentation here Claudia was able to encode a lot of the knowledge and a lot of the methodology that we've developed over time into his tool and so it's kind of a One-Stop shop forgetting a lot of the things that we know about and if you want to kind of explore it on your own that's when I recommend you use this kind of python tool to explore and see what's there so claudo you walk us to this yep and we're going to keep presenting until they kick

us out so bear with us here so this is a tool done from the perspective more to find out what's happening in your system quick and dirty um first we are looking for all the consumers available on the system uh you specify the default namespace which is a root subscription and then you you you get all the consumers available we have a first the command line consumer that is named test consumer which does power uh executes a power uh a Powershell um uh payload which is located in win32 undor payload class uh next is an anti consumer log event uh and then another command line uh event consumer which which is BBT consumer uh these are these two uh

consumers are uh present in MO most most of the computers so nothing uh wrong there the first one looks suspicious though and now um we take we're taking a closer look to that consumer by name and then we found out that hey uh he's executing a a Powershell is taking the information from the win32 payload class and uh from the property called payload and the default value is actually the encoded pay code payload and then we found out the filter to Consumer binding that uh matches the event that trigger the test consumer so it's name pay payment card Pro processor launch now let's take a look at the event filter name payment card processor launched did I cut you short and uh we

see what's the trigger event which is the start of the process payment processor. exe once we have that move on we have all the information we need and then we go analyze the payload decode it and see what it's doing and see where the track data is stored yeah so using Claudio's tool you would be able to dump the actual payload that credit card scraping payload dump it to dis and perform further analysis so these are pretty amazing tools here for performing uh forensics now real quick so we have offline forensic uh parsing capabilities which never existed until today okay now you can also use wmi to detect this stuff in real time all right

so as a Defender start thinking okay um when an attacker performs uh wmi persistence it creates wmi objects okay we can tap into events that uh detect creation of those events and we can respond accordingly create an event log uh log to a file right so um so basically you can use wmi as the defender against attackers itself so it's Wy on Wy action here all right all right so start thinking about the implications here okay wmi is basically the agent list wmi or the agentless uh host based IDs that you never knew existed okay it's built into windows so I released a proof of concept tool wmi IDs um that uh will detect um certain

components of uh attacker activity I plan on extending its functionality uh it is very beta at this point so I'd like to gauge interest and uh continue to add to it I have a brief video that shows um how I was able to detect the credit card scraper in real time as it was installed and all it did was uh create an event log entry okay so the takeaway here is that you can use wmi against uh attackers using wmi and there's some other uh detection utilities out there lastly uh I'd like to thank will Schroeder and uh Justin Warner for helping me out with um like really interesting like use cases for event filters um our manent IR guys uh

the ones who are uh performing the actual apt29 investigation uh those guys are awesome and of course apt29 thank you very much for allowing us to uh create these tools and just step up our um you know to create new tools and be able to uh investigate things even further all right uh we have a reversing challenge flare on.com check it out thank you very much thank [Applause] you awesome uh we have just a couple of minutes for questions if anybody does want to have a question there's a be a microphone right here we'll also take questions outside we'll be hanging out for a little bit all right nobody okay then uh two things uh announcement there was a uh

cell phone in a blue case left in a taxi this morning it is uh been turned into Hotel uh so go talk to the hotel if uh you lost a blue cell phone uh also please pack it in