Write-Ups
thewildspirit,
Sep 16
2022
During a recent security assessment of a well-known consulting company, the competent team found some employees' credentials in publicly available breach databases. Thus, they called us to trace down the actions performed by these users. During the investigation, it turned out that one of them had been compromised. Although their security engineers took the necessary steps to remediate and secure the user and the internal infrastructure, the user was getting compromised repeatedly. Narrowing down our investigation to find possible persistence mechanisms, we are confident that the malicious actors use WMI to establish persistence. You are given the WMI repository of the user's workstation. Can you analyze and expose their technique?
The downloadable file for this challenge is the WMI repository folder.
For this challenge, I wanted to demonstrate how WMI is being used as a persistence mechanism in the wild. Thus, I decided to do some research on how both pentesters and malicious actors tend to use it. But before explaining the intended solution, let's go over the basics first.
WMI is the Windows Management Instrumentation. It's a set of tools that allows administrators to manage and monitor Windows systems. It can be found installed by default in every modern Windows version.
Some basic terms are:
Event Filter: Enables you to query for and receive events that match specified criteria and trigger an Event Consumer
Event Consumer: This allows you to receive and process events from a WMI event provider
Binding: Binds the Filter and Consumer together
MOF: Managed Object Format file, defines WMI classes to be inserted into the repository
The WMI repository is a database that contains information about the Windows Management Instrumentation (WMI) classes installed on a computer, and it has the following structure:
OBJECTS.DATA: Objects managed by WMI
INDEX.BTR: Index of files imported into OBJECTS.DATA
MAPPING[1-3].MAP: Correlates data in OBJECTS.DATA and INDEX.BTR
As described by MITRE:
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user logging, or the computer's uptime. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.
The challenge's objective was intendedly hinted by the description, so players have the chance to become familiar with the concept before even starting the challenge.
As always, challengers should start from the low-hanging fruits, which in our case, when given a WMI repository, is to look for events to consumer bindings. If our theory is true, the attackers would be able to execute their payload once a condition is met.
For this task, we will use a python script from the repository called WMI_Forensics to parse the OBJECTS.DATA database and locate the persistence mechanism via FitlerToConsumerBindings.