Sep 08, 2015 By Jean-Paul Bergeaux In Blog

Insights from Black Hat and DEFCON 2015: Microsoft WMI May Be Hiding Something In Your Environment

It’s been known for a while the Microsoft’s administrative tool WMI (Windows Management Instrumentation) was being used by attackers to penetrate environments.  It has powerful capabilities, just like PowerShell, but it also allows remote execution of commands, so its attractiveness to attackers is no surprise.

After Black Hat 2015 and DEFCON23, Fed Agencies should be very worried about what is persistently lurking inside of their system’s WMI infrastructure.  The FLARE team (FireEye Labs Advanced Reverse Engineering) described how WMI is much more than an administrative tool; it’s also a programmable infrastructure that can be used not only to infiltrate but also to hide persistent presence across reboots for bad actors.


This architectural design can be found in the PDF of the FLARE team’s presentation here (NOTE:  This is to a GitHub server, not DEFCON server).

FLARE listed a number of ways attackers are using WMI, including:

– Reconnaissance

– VM/Sandbox Detection

– Code execution and lateral movement

– Persistence

– Data storage

– C2 communication

What was most surprising and should be investigated by agencies is the ability of a bad actor to store data inside the WMI infrastructure and persist across reboots and even persist after system “cleaning” by the most sophisticated cyber security expert.  The researchers have proven that bad actors can create hidden malicious WMI provider code making it a requirement to log changes to WMI and monitor the output daily.

The problem is that finding indexes, objects and mappings inside of WMI has been nearly impossible—until now.  The FLARE team released a set of tools that allows an agency to query the WMI infrastructure to discover what has been stored inside it and what hierarchies have been created by any provider.  Even more beneficial, FLARE showed how WMI can be turned around into a host IDS system that can monitor and alert nearly everything going on inside an operating system.

Some immediate mitigation suggestions were simple, but not the whole answer:

-Stop the WMI service – Winmgmt?

-Firewall rules

-Event logs:

  • Microsoft-Windows-WinRM/Operational,
  • Microsoft-Windows-WMI-Activity/Operational
  • Microsoft-Windows-DistributedCOM

-Preventative permanent WMI event subscriptions

-Control Namespace ACLs

The whole answer is to use the new tools to check inside the WMI of systems and monitor them going forward.   The FLARE team also pointed out that security vendors should start programing to use WMI as a weapon against the hackers.

If your agency needs help checking systems and setting up logging, monitoring and alerting on WMI, contact SwishData for a services engagement discussion.