Windows Management Instrumentation for Good and Evil

all right well I'm gonna get started thank you everybody for coming this talk is on windows management instrumentation if you're not here for this talk then I won't be offended if you get up and go but I hope you are here for this talk so thanks for coming so if you're gonna take a picture one slide actually take a picture of this one cuz this is actually where the link to the slides so if you want these slides for later I'll let you guys take a picture of that real quick these slides are gonna be posted with the video I hope as well so if you find this on YouTube you'll be able to get to the

slides I'll keep it up it has a couple videos in it embedded for the demos but I'll be trying to do some of those demos live and I'll be showing some of them so our agenda for this talk how quick hello world about WMI using it for evil and then using it for good so hello world hi I'm Jamie or root hopefully with that with a prompt like that I am jgeiger I'm on Twitter I tweet about things follow me if you like one boat I n as my website I blog about computer stuff security things to said men cool tricks I haven't found anywhere else that I had to dig through I'm an IT

manager for my company and I also do some security work and development as well I love teaching and that's why I love speaking at these kinds of things there's gonna be only spongebob gifts in this by the way so who are you guys so I'm gonna do a couple raise your hands in this how many people do we have that a herd of WMI before know what it is have you have you used it in an engagement in a red team engagement okay have used it in a blue team sense or in defense okay cool I need power shell programmers couple alright so there's gonna be a lot of PowerShell stuff we're gonna go through that I'll step through it if you

have questions or I'm talking too fast please tell me because that's we're all here to learn if you have a question I guarantee you someone else in the room has that question please ask or find me afterwards if you don't feel comfortable that's totally fine what is this WMI thing well stands for windows management instrumentation like you saw in the first slide and it's based on this web-based enterprise management standard it's a big standard that was put out by a group for IT management for data collection which is awesome so we'll learn more about that it's based on this common information model which is an object-oriented model how many uh you know have any program

object-oriented programmers in here do any Java programmers or anybody like that C++ okay so I'll go through what object-oriented means those of you who are not programmers in the next couple slides but will learn about this CI M thing what is WI basically it's an interface to interact with objects on Windows and the really important bullet at the bottom there is it's available on every version of Windows since Windows 2000 so it makes it a very powerful tool to go all the way up from Windows 2000 which you should not be running to current Windows Server 2016 or Windows 10 and it's remotely accessible which is really awesome when you learn some of the things you can do with it you'll

learn that it being remotely accessible it might not necessarily be the best thing or it's great if you're on the red team so what is this common information model it's basically a model it's a standard the document is very long I've read some of it it's very dry but it breaks down into defining how to represent anything within a computer system and so WMI is like Microsoft's implementation of this web-based standard in the common information model we're gonna go through so the components you have which I'm going to go through each one of them our namespaces classes instances properties methods events and event consumers so I have a slide for each one of these so

we'll go through them now a namespace is a collection of classes and you can have sub namespaces and all these things I'm gonna show this visually at the end of the kind of explanation of this so don't worry about visualizing it in your head right now they all exist under this thing called root so there's the default namespace which is roots in v2 common information model too and then we have another one that we're gonna worry about which is root subscription so keep that in the back of your head like I said these namespaces are collection of classes and classes are basically the definitions of some type of object a perfect example is a user

account on the machine so you'll have a user account class it'll have properties which are key value pairs so it'll have a account name or a user ID or an S ID and then a value to that the values actually are put into instances so you say here I have these properties that I can fill out I'll create an instance of this class and that is administrator with the S ID whatever and their home directory or whatever kind of attributes that class has it can have methods which is also cool so the one that I'm going to be talking about a lot is win32 process which is a class that represents every process on the system but I can

query this WMI interface for processes on the system so as process ID process name who it's running as and it also has methods like create or terminate and create as a great method for attackers we'll get it out later many of these properties can be strings integers how do we talk to this thing it's basically a database of information that we have and then we can act on so if you guys how many sequel how many people have done sequel before eco queries okay so for those familiar with it this will look familiar if you're not it's fairly easy to follow so you're selecting from the table or the object to type the class win32 user account we're disabled

equals false so you're looking for all of the enabled user accounts this query is going to return you a bunch of objects that are all the enabled user accounts on the system what can we use to interface with this well a couple different things there's a command-line tool called wmic that can be used I think it exists on Windows 2000 and we can correct me if I'm wrong on that one but this one is is the most reliable tool because it's on most platforms WMI Explorer which is a front end which I have a demo of the next slide so you guys can kind of see how our shell which would be focusing on to

create and access classes later in the presentation you can access it from the windows API programming c-sharp C++ C and then there's tons of other interface to this like I said this has been around for so long but it's adapt been adapted to so many different languages those are just three that I looked up there's tons more that actually has

this WMI explorer demo that'll talk through real quick I'll explain what what it's actually showing so you don't have to squint so you're going you go under the root namespace this is roots in b2 and you can see there's all of these different classes so win32 account when 32s ID win32 process win32 binary all this stuff so all this is each one of these is a class that you can query so current time it has information on number of fans that are connected this is an AWS machine so there's no fans connected directly to this virtual machine but the user groups this is a specific example the one that kind of is more understandable this is user groups

this is the administrator group and you can see all of the information that this offers so like I said this says domain name description s ID so yeah zoomed in here for you so you can see that the group is the name is administrator ASID the local account or whether it's local account or not so it has a ton of information so this is just one of those many things and you saw how long that list was huge so there's tons information career from this and like I said these are inheritable so this inherits from the win32 account group else uh-oh I will skip over that the rest of that one but like I said

this is what the interface looks like and this allows you to run through and query everything you have your namespaces in this panel you can enumerate these are your classes and then you'll actually be able to go and view instances of classes inside here and you can check out what properties they have like I said I don't expect you guys to be able to squint and see this but you can see all the properties they have and what types they are and you can also see all the methods they have I believe the demo lays out the process class so you can see the methods create and terminate of the process class okay and so far what this thing is yes

I know it's just when 32 pretty sure there's historical reasons for that it's like probably one of their last worries or I just changing the date like the database names but yeah that is true yep that okay so yes sir

you you can look at the parent process ID but on Windows that's not really reliable that our functions to actually change the parent process ID look into that if you haven't it's really cool you can absolutely based on what the system gives you for information you can you can do your best whatever the system gives you like that's if you open task manager it'll have the same list it's the same information so these are this is like an alternative is a great alternative API the query stuff with that's common throughout all windows bill to Windows 2000

sure about that one you might have to hook something for that there are tools to do that and this is internal sweet so I'm gonna do a quick overview of the kind of what this how to interact with this in PowerShell some one of these things doesn't work on the most recent version of PowerShell I tried but just just a heads up for that so your best friend at for examining this is gonna be get WMI object you can specify the namespace which is default routes in V to the class and then the filter to get objects these quick - query and - filter will not work for some reason it's broken in PowerShell it's documented online but you can use

PowerShell filters which you'll see later to filter stuff out you can use a you can use the list command to list the classes in a namespace I want to see all of them in routes in B - and watch it scrolled all the way down the screen I'm gonna get the same result as this window where I have classes here invoke WMI method so those those methods we talked about earlier where you can maybe create or terminate a process you can do remotely or locally you need credentials you need administrator credentials so it's not just wide open to the world but that's something you can you can play with and if you're not familiar with PowerShell to get help with these

commands you just have help and in the command so it's really really nice so set WMI instance you can create new instances of classes for certain things one and such we'll talk about creating classes and actually do some of that later remove WMI object be careful with this one you can actually remove whole classes and then mess up anything that's querying it so if you remove the win32 process class it's probably not good because anything looking for processes will be that yeah was it

I I'm not a hundred percent sure about that and that would be good to look into I don't I would hope that it wouldn't delete them off file but Ranger things have happened on Windows registered WMI event you can actually register local events to monitor for in a local PowerShell console there's a way to do that persistently what we'll talk about later and you can actually also interface with these common information model objects directly this is how you would interface with them remotely you'll have to start up a sim session you can do these this command get command - now and sim star and that will eat you all the commands for sim I'm not

gonna be talking about those those series of commands we're only going to need the ones up here a basic powershell demo this says get command - noun WMI star and then you can see get to be my object invoked of a method you can see that these commands exist so we're gonna try to query for a class win32 process and then we're going to say question mark property process name - EQ PowerShell that you see so we're gonna I'm running PowerShell I know that process is running so I'm just querying for PowerShell that exe I'm sorry if this is hard to see the lighting sort of weird so you can see that this Scott returned

this object got returned and it has a process name PowerShell - exe and we can interact with that object by setting it to a variable this becomes a PowerShell object so we're set it to the process - I we can just check out the process name it's got the attribute process name and then we can also check out all the properties that has to offer by just querying the PowerShell object and see all this data you have from this interface like I said these slides will be up and the videos are embedded so you can check them out look closer

okay so kind of had an interruption to talk about PowerShell and interacting with this thing in PowerShell I haven't covered the rest of the parts of the common information model that are defined that I'm talking about in this slide set so where it gets really interesting is you can have events filters consumers and then binders so essentially you have these classes that can fire events there there's win32 process start trace so that'll fire an event whenever a process starts and so you can query for that and then do actions based on that so these filters you have to write a filter to query for these things and they're in wql that language we talked about before that SQL

familiar thing so if we want to know if we want an event to fire whenever an instance does command prompt pops up maybe this is just a contrived example but you can say select star from win32 process start trace within 5 so every five seconds check for this thing where process name equals cmd.exe and then it will fire in it your event filter will fire and you can query for that and do something based on that and we'll talk about what more can what actions we can actually do these consumers in a couple slides Zoomers basically act on these events when you bind them together with a filter to consumer binder and you can run commands you can send emails you can

write to logs so you can see where that can kind of a useful and all of these like I said you can have subclasses you can have a parent class and then a child clashers inherits all that's its attributes and you can extend it so just an example of that all event consumers that we're going to talk about in this presentation are subs or parent or child's of children of the event consumer class go into like actually using an example of these in a sec here so this is just the overview and now using WMI for evil so we're here to attack stuff if you're here to attack stuff this is great these methods have actually been used out in

the wild right so apt 29 the Russians anybody here that dnc hack recently right Yeah right this guy gets it so the guys some of the some of the breaches actually use this back door so this is being used out in the wild by real adversaries so there's this root subscription namespace that allows you to create special event consumers so if you can if you can read these you see that they might be very useful command line event consumer allows you to actually run things on a command line so execute arbitrary code as a system user active script event consumer will iater on VB script or JavaScript also useful a log file event consumer allows you to

write to a log file when that happens so useful for blue teamers if you're I'm using this method NT event log consumer right to the event log or then SMTP event consumer which allow you to send an email you can do mix-and-match these you can use them together so the apt 29 file lists backdoor essentially what it did was it registered an event filter that queried win32 local time and it said every Monday Tuesday Thursday Friday and Saturday at 11:30 3 a.m. local time run this thing and it essentially would it registered a command LED event consumer to run this crazy encoded PowerShell script that would go and get ducey to exfiltrate data get commands grab arbitrary

executables whatever the operators wanted so this will run on a schedule which is great great for attackers interval back doors if you want a persistent call back that calls back you know every 15 seconds you can do this thing called an interval timer instruction class and then you can create this and it'll fire a what's called a timer event every however many milliseconds you would like but then in your event filter you say select star from timer event within 15 where timer ID equals whatever your timer name is and what that will do is will allow you to run an event consumer you bind a consumer to this you basically have a scheduled task that

runs every X milliseconds you can execute commands you can use power you can use the full power of PowerShell and you can grab things from the internet and execute them you can upload files you can I don't know nuke the whole system if you like every 15 seconds I guess I'd only if you only do that once or something like nuking the system you probably wanna use an absolute timer instruction which will execute at a specific point in time only once so fire at a specific time that's pretty cool I have a demo of that it works these were all failing to like start last night so I'm happy that it actually works so what's up on the

screen right now it's the command is set - w mi instance - name space root subscription so like I said we have to act in that space to create that specific consumer we're gonna create ourselves a class a sub an instance of the interval timer instruction class with the parameters timer ID equals I timer and then the interval between events is 15 thousand which is 15 seconds 30 15 seconds we're gonna fire this event there we go that's the resolution is better on that now alright so we're gonna do that it created successfully the next thing we have to do is register an event filter and I am copying and pasting these we have to register an

event filter I know that's hard to see I apologize which basically does what I said on the slide here the last slide which was select star from timer event within 15 so query every 15 seconds for this event where the timer ID equals I timer so this event filter is going to essentially rabb that event that every 15-second event so we'll register that real quick and in the final the the next thing you have to do is register a consumer so this is the part you haven't seen yet the consumer is actually a simple command line script so you set the command line template for this command line event consumer to message star hello world

I am WM I and so I paste that in just to show you what that's actually gonna do when this thing runs so it's gonna pop up a message box on the screen very very non functional example for somebody that's gonna be attacking but you're definitely gonna be able to put whatever you want there you can write like I said run PowerShell commands then bind them together with this filter to consumer binding that gets created and then within a couple seconds here we'll see it pop up it'll be checking for it will see the message pop up and it's actually run from an elevated elevated context and so if you go into the WMI Explorer

you can see that the event consumer was created as a command line event consumer with the command message star hello the event filter was created with our query it's still it's still up coming up closer to consumer binding was created with the two names of our filter and consumer and then the interval timer instruction that fires every 15 seconds was created as well I have a scripture above that you can schedule things from this and you know I know people will check scheduled tasks I know people will check their run keys and things like that and typical persistence locations but this is something that people don't really think about how many how many people in here like run security for

their infrastructures all right do you guys check for WMI stuff you guys specifically check in your so yes

autoruns does catch this yes so if you're running but that's on a host BioSpace if you're running a massive a massive infrastructure you know you're not gonna notice one host that gets infected with this most likely it's it's definitely tough so it's interesting there's that another evil thing I saw this when I put this talk together I saw this tweet and I couldn't help but include it but Matt graver is a PowerShell wizard he's a Windows Wizard he's a good dude and he's he is there's this tool sim sweep that's on the good end but you can actually recover BitLocker keys from WMI which is terrifying like this is your drive encryption key like so that's

that's the impact of this right you can schedule tasks you can query for information it's great for recon and you can also recover things like the BitLocker key password the BitLocker password which is for those of you who aren't familiar with BitLocker it's Drive Encryption or Windows that's huge like I said you need local admin to get this information but remise this happen so usually WMI for good I think that's my favorite gift in the entire world I don't know some stuff I couldn't just give you guys the evil without the good hello

you

all the all this stuff has to be created from a straighter context but it can be done so remotely if you have port 135 open which is that's like support that people usually leave alone on Windows networks so I've been able to do this you have to have I think RPC has to be unfiltered inbound and then also the windows that manages that automatically in this you're running some other sort of other firewall on a Windows network you're gonna allow those ports because that's what I eat like the main domain controller we used to talk via RPC and point map and stuff so it's the same kinds of ports that Active Directory uses so if they

compromised and I'm pretty sure you can log into this with a domain admin account if you get it so or certain groups certain Commission's all right so I've looked I've spent a lot of time in this tool just looking for things that are cool to go through and and one of the things that I found was actually Windows Defender has a WMI interface so you can use this for good things so it's at the namespace root Microsoft Security client there's a malware class so I don't know if you guys can see you will be able to see this but security client and then malware we can actually pull up just as here our instances of

oh there we go this is every time it detects a threat it'll actually register in WMI so you can query so these are all and you can tell how many times I tested this demo because that's the number of times that tested the SEM so you can get notified when malware SEC did I mean like I said that's kind of a not so useful example but think about whenever Windows Defender to text something which Windows Defender is actually fairly decent these days better than like old Windows security protection used to be which was nothing if you fire if you fire an event you can run a quarantine script you can run a data collection script they think of the

possibilities there was like as soon as when you defend Windows Defender catches something you can get the state system state they can't so you have it at that that snapshot at that state of time that's pretty neat so you can get notified you can use that same event filter consumer trick actually query for this and then do something based on it

you can so you can you can do whatever you like whatever a PowerShell script can do or whatever a VB script can do you can fire in response to this so collect data or whatever so essentially what this is doing is I wish the resolution would up HD there we go alright so essentially here we're creating its how can possible to see I'll read it off to you so essentially we're creating a an event filter that queries the root Microsoft security client namespace and says alright whenever an instance creation event fire select star from instance creation event which is an event that fires whenever an instance of any class in that namespace is created and the

target instance is a malware is the class type malware we're gonna fire we're gonna we're gonna meet this filter so we'll register it under the root subscription namespace we'll register a consumer for this which in this example like I said we're just going to do something simple which we're going to pop up a little message that says hey you have malware at this directory and it's this user launched it and the severe area is this the Windows Defender severity ID is blank I'll register that as a command line event consumer like we did before with the malicious part and then finally you bind them both together with a filter to consumer binding that was created successfully

as an attacker will go and will unzip mini cats so we know that's going to get caught that's Windows defenders in that as that it's a tool to dump passwords out of memory and other things credentials out of memory so we can see that Windows Defender did find it and then in a couple seconds here there will be a notification that will run showing that our filter worked you can see pops up a message that says malware @c users and ministers desktop me me cats win32 me me dirt sis which is the driver for mini cats that uses don't memory and then from administrator severity for you can take the information from that class and feed it

into whatever scripts you're running on the command line in response to this you can say you know hey we have this malware this information collection script that we're supposed to run when the system detects malware perfect feed the information to it tell it where the malware is and then you can you know set fire off an alert to you can also do event event logs to so you can fire up an alert I'm sure collecting central logs and monitoring you can fire that off as well I'm fairly certain that called Windows Defender already writes in an event log but just to the kind of possibilities of what you can do you can send an email as well at the description

you know exactly which user is trying to infect your machines when Windows Defender catches it and anybody can develop and make interfaces for WMI so another nd I'm not sure which if there are any antivirus providers that are doing this but they can provide an interface to this if they would like you can see go through and it's any WMI explorer you can see you know all the information the path and all all the stuff that gives you category ID gives you the threat ID it gives you the threat name the domain it was on the time it was executed you know the action that was taken against it it gives you all this information that

you can use and siphon off somewhere else

there's a tool called sim sweep which essentially it's an open-source PowerShell project that was mentioned earlier to grab the BitLocker keys but if you're a blue team or if you have running an environment you have this open why why would you not use it for a fur collection on your host to see if anything's wrong there's a wealth of information there you can go and like I said you can correct collect this stuff remotely so sim suite will allow you is it's designed to you be used at a large scale enterprise in a large scale enterprise with many many Windows machines so you can use this to collect forensics data if you know something's wrong you can use this to just generally

query stuff if you're curious to collect it's it's on github contribute if you can you know PowerShell it's a great tool for threat hunting Incident Response because you know gathering that much information off hundreds and hundreds of machines is a tough task but if you can do it all remotely with a click of button

how do you find and stop this register a consumer filter to tell you if there are any new consumers created so if someone malicious is trying to persist using this method you can use that instance creation event thing we did before with the malware class you can say hey if anybody registers one of these tell me about it or delete it probably tell you about it so you know where the there's a leak in your infrastructure or if somebody's trying to do something nasty just delete them all and make sure there are none there there are legitimate uses for this I will tell you that the Amazon machine that I spun up for this demo for

the the recorded demos for this they all have at least one registered event consumer filter and binder so this is a real thing that people use sometimes make sure you're not deleting anything important off your system I don't remember what it was for but it was something I have the command in the slide show notes I forget what it is I didn't feel like pasting it in here because it's kind of like if you're curious go check out the slides but there is a way to turn on verbose login for this it's off by default which house getting to so the logging the verbose logging I think the the log file that I after doing all the

demos I looked at the log file and it was like 20 lines long didn't have a single command that I ran in it you'll see the access for it especially if you run it remotely you'll see successful login ID 46 24 which is the successful login ID for Windows event logs but type 3 network I'm pretty sure other things are gonna fire that but for administrator accounts that shouldn't be firing all that often unless you're doing a lot of remote activity normally or standard infrastructure I don't think that's always audit your admin accounts I don't have that's something that's huge I mean you're normally your your admins should be performing I've been tasks with their

admin account and then have a separate account to check their email I know I like below it recently I think someone was running one as an admin and checking their email like they got popped that happens so make sure you audit your inmate accounts who has access I know your CEO wants domain admin but receipt partly doesn't need domain admin yeah so checking for stuff with sysinternals tools that autoruns will catch this and if if you try to run PowerShell you explicitly try to run PowerShell just PowerShell and then of commands in Auto runs will come up red which is a big big alert so definitely check that out Auto runs is a great tool finds things

that run automatically on your system or pretty much any place registry directories WMI all that stuff I'm a bit under but that's okay regular references check out this presentation itself I can go back to the first slide to give you the link to it if you'd like to grab it the bitly link to it if you want to grab that and check out the slides they're open to view all the demos are on there with the direct link and also embedded they said they weren't working at all last night embedded so I'm some for some reason things started working better when I gave my presentation definitely check out all these resources this is how I learned about this these were

great great helps the apt 29 stuff has there's a great write-up on that I I did this I skip I practice scheduling these things in C++ there's a way to do that and some sample code on my on my blog 1 by n if you want to go there and then the monitor malware script which is on github it's on the gist so you can grab it and in the sims sweep repository check that out grab it I said I'm a bit under but that's okay I recorded my demos less when I gave this I did these the demos all live but I was paranoid this time so show me so questions from anybody pretty good hello

what what I think I'm not 100% sure which version the WMI commands were added in I want to say anything beyond PowerShell 3 you're perfectly safe but that's the case for most stuff I'd have to look into that more closely when in doubt you can use wmic and wmic will allow you to do all the same things and it's on it should be on everything since 2000 Windows 2000 so our shells nice it allows you to work with objects very nicely but it's definitely uh you can do it with wmic or in c++ with the windows api

that's a that's a good point so I had my demos have like select blank within our select star from blank within 5 within 15 don't do that if you're gonna run this if you're gonna run these normally do them don't do them anything under 30 because that's querying this thing over and over and over again that's definitely not something you want to do on a regular regular basis and he said there's some some versions that will cause a few spikes just regardless right particular okay Oh watch out for that test this if you're gonna deploy it that's with anything get a question and do your question

you I don't I don't think wmic has that capability I think it just specified computer name and then you can specify user name and password and allow you to execute stuff I know PowerShell will allow you to do it but I'm almost 100% sure that you can do it with wmic so as I covered before I think I skipped over that part actually you can run this via normal PowerShell remoting either the non-encrypted or the encrypted version you can also run it over port 135 I have a challenge that I'm running for my company that one of the problems you literally have to connect to it's just for 135 open and then RPC that's the only port open and you can

compromise the host completely regal with credit secret but that is somewhere else hopefully nobody that's on that challenge what yeah okay anyone else have you questions yes I can do that yeah please

you're gonna take a picture one slide is to be the one because this has the link we'll try to put the link up on the YouTube video as well the slides check that out follow me on Twitter

you I'm not sure if there's a way to do specific like disabling specific methods if you disable WMI as a whole your system will not function so I think it's kind of an all-or-none kind of thing if you have that admin access you have access to that port like kind of game over if somebody wants to use it and you don't have a good egress filtering but if you someone has your admin password you've got bigger issues than that one host I think alright anybody else I think you get so much for coming I really appreciate it hopefully it was informative for you and you can use it in some way in your jobs and tell people

about it Thanks [Applause]