Atlantic Security Conference

Living of the land comprises of using system tools by attackers for malicious purposes. System tools not only provide stability but zero risk of being flagged as malware. This talk is focused on the use of PowerShell and WMI by attackers for malicious purpose. PowerShell and WMI are powerful technologies designed by Microsoft for streamlining administrative workloads, however attackers are abusing this technology for malicious purposes.

PowerShell is installed by default on Microsoft Windows operating system, since windows 7 and windows 2008 r2. WMI is part of windows operating system long before the author bought his first computer, to be precise since Windows NT days. Since WMI and PowerShell are inbuilt system technology It is nearly impossible for traditional security tools to distinguish between legitimate and malicious use of these two technologies. Moreover, while WMI remains elusive, PowerShell has recently gained momentum among system administrators to automate their workloads making it even harder to detect malicious activity. PowerShell is a command line utility build on top of .NET framework. PowerShell contains number of cmdlets to carry out various tasks, new cmdlets are added with each new version of PowerShell. System administrators can simply automate workloads using PowerShell. PowerShell remoting can be used by administrators to execute commands on multiple computers without having to log into each system and running the commands on individual systems. WMI is Microsoft representation of system information which follows the Web Based Enterprise Management (WBEM) built on the Common Information Model (CIM). In layman's terms WMI is a database which contain information about the system. A powerful feature of WMI is WMI eventing. WMI eventing provides the capability to generate alerts on every major or minor change to the system, in turn response triggers can be configured for an alert. A response can be anything from simply generating a log entry to execution of a command or script. An attacker can leverage this to execute a command or a script based on an event. PowerShell and WMI are legitimate system tools making it impossible for defenders to block them. Logging is not enabled by default for both PowerShell and WMI, however once logging is enabled PowerShell and in particular WMI can generate infinitude logs and overloading the log management solution and SOC team. Behavioural analysis can help decipher between legitimate and malicious behaviour.

The purpose of this talk is to educate the audience, including defenders, about PowerShell and WMI. We hope that this would help them to think like an attacker and be creative in implementing controls to flag malicious use of PowerShell and WMI.