Windows Security: WMI Event Consumers and Scheduled Tasks

Questions and Answers

What does a MOF file do in the context of WMI?

Installs antivirus software

Deletes system logs

Creates a WMI event filter and consumer (correct)

Generates random encryption keys

Which tool can be used to identify WMI event filters and consumers?

Metasploit

Autoruns (correct)

Nmap

Wireshark

What is the purpose of the Get-WmiObject PowerShell cmdlet?

To back up system files

To identify and help remove suspicious WMI entries (correct)

To create encryption keys

To capture network traffic

What is the name given to the WMI event filter in the provided MOF file?

GenericFilter

Which query language is used in the event filter specified in the MOF file?

WQL

What is the command line template used by the CommandLineEventConsumer in the MOF file?

C:\windows\evil.exe

What is the purpose of the #PRAGMA AUTORECOVER directive in the MOF file?

Ensures the script will recover from errors automatically

Which event is being monitored in the MOF file's event filter?

_InstanceModificationEvent

Which command can be used to schedule tasks on a remote system?

schtasks.exe

In which directory are .job files for scheduled tasks stored in Windows 7?

C:\Windows\System32\Tasks

Which scheduled task utility offers more features and fine control?

schtasks.exe

For which Windows version was a dedicated event log, 'Task Scheduler Operational,' added for logging scheduled tasks?

Windows Vista

Which file records task information in Windows XP?

C:\Windows\Schedlgu.txt

What was the persistence mechanism used by the SUNSPOT malware in the SolarWinds attack?

Scheduled tasks

What type of attacks can remote scheduled tasks aid in?

Credential dumping

Which tool would you use to collect currently scheduled jobs on a Windows system?

Autoruns

What is the percentage range of signed malware according to the McAfee 2019 Threat Report?

1-3%

Which of the following is a benefit of signing malware?

Allows malware to stay hidden longer by being trusted

Why might malware authors avoid signing their malware?

It avoids burning a family of malware if the certificate is revoked

Which of the following strategies is recommended for examining suspicious code?

Initially examining all unsigned code

What percentage of malware samples was typically signed in some quarters?

Less than 1%

What main advantage does signed malware provide for espionage purposes?

Longer undetected presence

Which of the following is NOT a common name for malware?

services.exe

What is a significant drawback of signing malware for rapid development?

Slows down the release process

Which folder is least likely to house malware?

\Documents

Which folder is mentioned as being suspicious for unsigned code?

Windows\System32 folder

What is an example of a common malware tactic to hide its activity?

Process hollowing

Why does the name 'svchost.exe' make for an effective disguise for malware?

It is commonly seen with many instances running

Which location would be suspicious for executable files to run from?

$Recycle.Bin

What feature of a standard Microsoft Windows system contributes to malware's ability to 'hide in plain sight'?

The vast number of files and folders

Which of the following is NOT a common location for malware on Windows systems?

\Users\Public

What tool can provide statistics to help identify trends in malware locations and names?

VirusTotal

What are the three main components needed for setting up a WMI Event Consumer Backdoor?

Event Filter, Event Consumer, Binding

What privilege level do WMI consumers run with?

SYSTEM

What tool can be used to identify and help remove suspicious WMI entries?

Get-WmiObject

Which malware was mentioned as possibly the first to use the WMI Event Consumer Backdoor?

Stuxnet

What is the purpose of the binding component in a WMI Event Consumer backdoor?

To connect the event filter and event consumer

What is a MOF file used for in the context of WMI Event Consumers?

To register new classes into the WMI repository

Which tool was NOT mentioned for setting up WMI Event Consumers?

System Center Configuration Manager

Why is WMI often overlooked by security professionals despite its powerful capabilities?

Because its scope of functionality is not widely recognized

Which PowerShell command can be used to query WMI event filters in the 'root\Subscription' namespace?

Get-WMIObject -Namespace root\Subscription -Class _EventFilter

Why is PowerShell considered an obvious choice for detecting attacks like WMI event consumers?

It provides native support for WMI and easy scalability.

What makes it possible to detect WMI threats without fancy tools?

Basic PowerShell commands

What class should you query with PowerShell to gather WMI event consumers?

_EventConsumer

Which namespace should be queried in addition to 'root\Subscription' to detect WMI event consumers?

root\Default

What is likely the intention behind using non-standard namespaces for WMI event consumers?

Evasion of detection by defenders

When querying WMI classes for detection, what is recommended if you cannot allowlist standard false positives?

Query using a more specific class parameter

Which of the following classes should be queried to bind event filters to consumers?

_FilterToConsumerBinding

What is the main purpose of identifying AutoStart Persistence Locations?

To find programs that start automatically at system boot or user logon.

Which registry key is NOT typically used to automatically start programs when a user logs on?

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Which of the following mechanisms allows a new version of a legitimate DLL to be provided?

DLL Side-Loading

What would be the likely consequence of modifying the Userinit registry key to include a malicious binary?

The malicious binary would execute at boot.

Which of the following describes why the %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup location is used by attackers?

Creating persistence here does not require administrator rights.

What is the main characteristic of Phantom DLL Hijacking?

Replacing or creating DLLs that applications attempt to load but either don't exist or can be replaced

Which option is not part of the typical DLL search order with SafeDllSearchMode enabled?

Network location

Which AutoStart Persistence Location is located in the file system rather than the registry?

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

What is the significance of the 'run' registry keys according to the content?

They execute items when a user logs on.

What is the known vulnerability related to the Windows desktop Explorer.exe?

Loading an unprotected DLL named ntshrui.dll

Why is analyzing AutoStart data across many systems useful?

To identify potentially compromised systems.

What is a method to discover DLL hijacking attacks?

Performing file system forensic analysis

Which of the following RATs is associated with DLL Side-Loading?

NetTraveler

What is a common use case for the 'RunOnce' registry keys?

To ensure specific tasks run only once at user logon.

Which DLL Hijacking method involves copying susceptible.exe and corresponding bad.dll to a location of choice?

Relative Path DLL Hijacking

Which location is NOT part of the registry?

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

What is the first location checked in the DLL search order on modern systems with SafeDllSearchMode enabled?

DLLs already loaded in memory

What does 'ASEP' stand for in the context of Windows security?

AutoStart Extension Points

What is the main tactic used in phantom DLL hijacking?

Creating a malicious file with the same name as an old DLL and placing it in the search path

What is DLL side-loading typically used to exploit?

Windows side-by-side (SxS) DLL loading mechanism

Which of the following is a characteristic of relative path DLL hijacking?

Involves writing permissions to sensitive folders like Windows\System32

Which mitigation strategy focuses on the use of signed DLLs?

Validate image dependency integrity

What is the role of AppLocker/Device Guard in mitigating DLL attacks?

It limits where DLLs can be loaded

Why is the SxS functionality vulnerable to abuse?

It allows loading updated DLLs with few validity checks

What does the term 'bring your own executable' refer to in the context of DLL hijacking?

Copying a susceptible executable to a writable location and adding a malicious DLL

Which feature of Microsoft Exploit Protection is mentioned as a limited mitigation?

Validate image dependency integrity

What is the primary reason legitimate binaries are used in attacks?

They can evade security tools and allow-listing

Which binary is used to execute commands and bypass application whitelisting?

Bash.exe

What function does Bitsadmin.exe NOT perform?

Encode

What makes rundll32.exe difficult to detect when used illegitimately?

It requires specific arguments and a DLL function name

Which project collects, categorizes, and provides example usage of legitimate Windows binaries abused by attackers?

LOLBAS

Why has there been an increase in the usage of native Windows tools for malicious purposes?

Host-based security tools have improved in detecting and preventing unsigned malicious code

What is a key indicator that rundll32.exe might be used for malicious purposes?

It executes a DLL from an alternate data stream

What additional information do defenders need to distinguish between legitimate and illegitimate executions of rundll32.exe?

Full command line and arguments

Why are native Windows tools being creatively repurposed by attackers?

To mimic legitimate administrative activities

What specific use case of Certutil.exe is commonly seen?

Downloading files and decoding obfuscated payloads

Study Notes

WMI Event Consumers

• WMI allows triggers (filters) to be set that when satisfied will run scripts or executables
• Filters can be based on time, service start, user auth, file creation, etc.
• PowerShell or mofcomp.exe can be used for setup
• The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

Scheduled Tasks

• Scheduled tasks provide an extremely granular means to create persistence in Windows
• at.exe command has long been a core part of the hacker lexicon
• at.exe jobs originally ran as SYSTEM regardless of the user's privilege level
• The schtasks.exe tool is an upgraded version of at.exe with more features
• Remote capabilities are commonly used for lateral movement and credential dumping
• SUNSPOT implant used a scheduled task for persistence

Malware Signing

• Less than 3% of malware is signed
• The number of "New Malicious Signed Binaries" is low compared to total malware
• Malware signing is predicted to increase over time
• Signed malware is trusted by the operating system and can stay hidden for a longer period
• Drawbacks to signing malware include rapid development and release, and code signing certificates being flagged

Adversary Hiding in Plain Sight

• Common malware names include svchost.exe, iexplore.exe, explorer.exe, lsass.exe, win.exe, and winlogon.exe
• Common malware locations include Temp folders, AppData, $Recycle.Bin, ProgramData, Windows, System32, WinSxS, System Volume Information, and Program Files
• Adversaries often use simple names and locations to blend in with legitimate files

WMI Event Consumer Backdoors

• WMI Event Consumers are frequently used by malware for persistence
• The technique requires three discrete steps: event filter creation, event consumer addition, and binding
• PowerShell or mofcomp.exe can be used for setup
• Event filters can be set up to trigger immediately upon being registered or via virtually any other Windows event

Using PowerShell to Discover Suspicious WMI Events

• PowerShell can be used to discover suspicious WMI events
• The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

AutoStart Persistence Locations

• Programs that start automatically at system boot or user logon
• Locations include NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run, SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce, and %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

DLL Hijacking Attacks

• DLL persistence hijacks attack legitimate and legacy features of the Windows operating system
• Search order hijacking is an excellent example
• Adversaries can place a malicious DLL in the same folder as the target executable and trump the search order### DLL Hijacking
• Place malicious file ahead of DLL in search order to hijack DLL loading
• Classic example: Explorer.exe loading bad ntshrui.dll

Phantom DLL Hijacking

• Find DLLs that applications attempt to load, but either don't exist or can be replaced
• Take advantage of old DLLs that applications still try to load, even when unnecessary
• Attackers can create a malicious file with the same name as the old DLL and place it in the search path

DLL Side-Loading

• WinSxS mechanism provides a new version of a legit DLL
• Attackers can abuse the loading mechanism by creating fake DLLs, using relative paths or other shortcuts
• PlugX, NetTraveler, Sakula, Poison Ivy (RATs) are examples of malware that use this technique

Relative Path DLL Hijacking

• Copy susceptible.exe and corresponding bad.dll to location of choice
• Attackers can write permissions to sensitive folders like Windows and Windows\System32 to achieve this
• Alternative approach: copy susceptible executable from a protected folder to a writable location and add a malicious DLL

Living off the Land Binaries (LOLBin)

• Legitimate binaries are increasingly used to evade security tools, allow-listing, and hunting
• Examples of LOLBin include:
  • rundll32.exe "c:\kb4549947:aclui.dll”,DllMain
  • At.exe, Atbroker.exe, Bash.exe, Bitsadmin.exe, Certutil.exe
• The LOLBAS project collects, categorizes, and provides example usage of LOLBin

Mitigations

• Very few viable mitigations for this type of attack
• Microsoft Exploit Protection feature “validate image dependency integrity" is limited in functionality
• AppLocker/Device Guard can be used to limit where DLLs can be loaded, but this approach is only viable for very locked-down systems

Description

Learn about Windows security features, including WMI event consumers and scheduled tasks, used to create persistence and detect suspicious entries.