Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind.
WMI provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events. These features make WMI critical for solutions such as EDRs, AVs, SIEMs.
The bad news: WMI is vulnerable by design since it is leveraged for malware persistence
(APT41, FIN6) and arbitrary code execution (APT29, Stuxnet). Malware countermeasures can disable WMI, making these defense solutions useless.
We will provide an analysis of the WMI architecture by reversing user-mode variables and functions from DLLs to demonstrate several new user-mode attacks.
The core vulnerability of WMI is that the DLLs loaded into the WMI core process (WinMgmt), leverage “flags” to perform WMI operations. Attackers can block the access to WMI – receiving new OS events, installing new WMI filters – by modifying these flags. There are no built-in features to block these attacks or repair WMI.
These attacks can be detected by inspecting the memory of WMI core service and can disclose other attacks on Windows OS components including privilege escalation, token hijacking, and ETW blinding.
These attacks impact all versions of Windows, which is crucial for the design of the core features of WMI.
Claudiu Teodorescu is CTO at firmware security firm Binarly. He has an extensive background in Computer Forensics, Cryptography, Reverse Engineering, and Program Analysis. While at Cylance, he focused on program analysis to augment the ML model feature space with code-specific artifacts.
Prior to Cylance, Claudiu worked for FireEye, in the FLARE (FireEye Labs Advanced Reverse Engineering) team as a Sr. Reverse Engineer, leading research projects such as WMI and Application Compatibility based malware persistence, Windows 10 RAM page compression, and also serving as an instructor of FLARE’s Advanced Malware Analysis course (Black Hat USA 2015, 2016).
Claudiu is the author of the WMI-parser tool to help IR teams forensically identify malware persistence.