Windows Security: WMI Event Consumers and Scheduled Tasks
84 Questions
2 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What does a MOF file do in the context of WMI?

  • Installs antivirus software
  • Deletes system logs
  • Creates a WMI event filter and consumer (correct)
  • Generates random encryption keys
  • Which tool can be used to identify WMI event filters and consumers?

  • Metasploit
  • Autoruns (correct)
  • Nmap
  • Wireshark
  • What is the purpose of the Get-WmiObject PowerShell cmdlet?

  • To back up system files
  • To identify and help remove suspicious WMI entries (correct)
  • To create encryption keys
  • To capture network traffic
  • What is the name given to the WMI event filter in the provided MOF file?

    <p>GenericFilter</p> Signup and view all the answers

    Which query language is used in the event filter specified in the MOF file?

    <p>WQL</p> Signup and view all the answers

    What is the command line template used by the CommandLineEventConsumer in the MOF file?

    <p>C:\windows\evil.exe</p> Signup and view all the answers

    What is the purpose of the #PRAGMA AUTORECOVER directive in the MOF file?

    <p>Ensures the script will recover from errors automatically</p> Signup and view all the answers

    Which event is being monitored in the MOF file's event filter?

    <p>_InstanceModificationEvent</p> Signup and view all the answers

    Which command can be used to schedule tasks on a remote system?

    <p>schtasks.exe</p> Signup and view all the answers

    In which directory are .job files for scheduled tasks stored in Windows 7?

    <p>C:\Windows\System32\Tasks</p> Signup and view all the answers

    Which scheduled task utility offers more features and fine control?

    <p>schtasks.exe</p> Signup and view all the answers

    For which Windows version was a dedicated event log, 'Task Scheduler Operational,' added for logging scheduled tasks?

    <p>Windows Vista</p> Signup and view all the answers

    Which file records task information in Windows XP?

    <p>C:\Windows\Schedlgu.txt</p> Signup and view all the answers

    What was the persistence mechanism used by the SUNSPOT malware in the SolarWinds attack?

    <p>Scheduled tasks</p> Signup and view all the answers

    What type of attacks can remote scheduled tasks aid in?

    <p>Credential dumping</p> Signup and view all the answers

    Which tool would you use to collect currently scheduled jobs on a Windows system?

    <p>Autoruns</p> Signup and view all the answers

    What is the percentage range of signed malware according to the McAfee 2019 Threat Report?

    <p>1-3%</p> Signup and view all the answers

    Which of the following is a benefit of signing malware?

    <p>Allows malware to stay hidden longer by being trusted</p> Signup and view all the answers

    Why might malware authors avoid signing their malware?

    <p>It avoids burning a family of malware if the certificate is revoked</p> Signup and view all the answers

    Which of the following strategies is recommended for examining suspicious code?

    <p>Initially examining all unsigned code</p> Signup and view all the answers

    What percentage of malware samples was typically signed in some quarters?

    <p>Less than 1%</p> Signup and view all the answers

    What main advantage does signed malware provide for espionage purposes?

    <p>Longer undetected presence</p> Signup and view all the answers

    Which of the following is NOT a common name for malware?

    <p>services.exe</p> Signup and view all the answers

    What is a significant drawback of signing malware for rapid development?

    <p>Slows down the release process</p> Signup and view all the answers

    Which folder is least likely to house malware?

    <p>\Documents</p> Signup and view all the answers

    Which folder is mentioned as being suspicious for unsigned code?

    <p>Windows\System32 folder</p> Signup and view all the answers

    What is an example of a common malware tactic to hide its activity?

    <p>Process hollowing</p> Signup and view all the answers

    Why does the name 'svchost.exe' make for an effective disguise for malware?

    <p>It is commonly seen with many instances running</p> Signup and view all the answers

    Which location would be suspicious for executable files to run from?

    <p>$Recycle.Bin</p> Signup and view all the answers

    What feature of a standard Microsoft Windows system contributes to malware's ability to 'hide in plain sight'?

    <p>The vast number of files and folders</p> Signup and view all the answers

    Which of the following is NOT a common location for malware on Windows systems?

    <p>\Users\Public</p> Signup and view all the answers

    What tool can provide statistics to help identify trends in malware locations and names?

    <p>VirusTotal</p> Signup and view all the answers

    What are the three main components needed for setting up a WMI Event Consumer Backdoor?

    <p>Event Filter, Event Consumer, Binding</p> Signup and view all the answers

    What privilege level do WMI consumers run with?

    <p>SYSTEM</p> Signup and view all the answers

    What tool can be used to identify and help remove suspicious WMI entries?

    <p>Get-WmiObject</p> Signup and view all the answers

    Which malware was mentioned as possibly the first to use the WMI Event Consumer Backdoor?

    <p>Stuxnet</p> Signup and view all the answers

    What is the purpose of the binding component in a WMI Event Consumer backdoor?

    <p>To connect the event filter and event consumer</p> Signup and view all the answers

    What is a MOF file used for in the context of WMI Event Consumers?

    <p>To register new classes into the WMI repository</p> Signup and view all the answers

    Which tool was NOT mentioned for setting up WMI Event Consumers?

    <p>System Center Configuration Manager</p> Signup and view all the answers

    Why is WMI often overlooked by security professionals despite its powerful capabilities?

    <p>Because its scope of functionality is not widely recognized</p> Signup and view all the answers

    Which PowerShell command can be used to query WMI event filters in the 'root\Subscription' namespace?

    <p>Get-WMIObject -Namespace root\Subscription -Class _EventFilter</p> Signup and view all the answers

    Why is PowerShell considered an obvious choice for detecting attacks like WMI event consumers?

    <p>It provides native support for WMI and easy scalability.</p> Signup and view all the answers

    What makes it possible to detect WMI threats without fancy tools?

    <p>Basic PowerShell commands</p> Signup and view all the answers

    What class should you query with PowerShell to gather WMI event consumers?

    <p>_EventConsumer</p> Signup and view all the answers

    Which namespace should be queried in addition to 'root\Subscription' to detect WMI event consumers?

    <p>root\Default</p> Signup and view all the answers

    What is likely the intention behind using non-standard namespaces for WMI event consumers?

    <p>Evasion of detection by defenders</p> Signup and view all the answers

    When querying WMI classes for detection, what is recommended if you cannot allowlist standard false positives?

    <p>Query using a more specific class parameter</p> Signup and view all the answers

    Which of the following classes should be queried to bind event filters to consumers?

    <p>_FilterToConsumerBinding</p> Signup and view all the answers

    What is the main purpose of identifying AutoStart Persistence Locations?

    <p>To find programs that start automatically at system boot or user logon.</p> Signup and view all the answers

    Which registry key is NOT typically used to automatically start programs when a user logs on?

    <p>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</p> Signup and view all the answers

    Which of the following mechanisms allows a new version of a legitimate DLL to be provided?

    <p>DLL Side-Loading</p> Signup and view all the answers

    What would be the likely consequence of modifying the Userinit registry key to include a malicious binary?

    <p>The malicious binary would execute at boot.</p> Signup and view all the answers

    Which of the following describes why the %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup location is used by attackers?

    <p>Creating persistence here does not require administrator rights.</p> Signup and view all the answers

    What is the main characteristic of Phantom DLL Hijacking?

    <p>Replacing or creating DLLs that applications attempt to load but either don't exist or can be replaced</p> Signup and view all the answers

    Which option is not part of the typical DLL search order with SafeDllSearchMode enabled?

    <p>Network location</p> Signup and view all the answers

    Which AutoStart Persistence Location is located in the file system rather than the registry?

    <p>%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</p> Signup and view all the answers

    What is the significance of the 'run' registry keys according to the content?

    <p>They execute items when a user logs on.</p> Signup and view all the answers

    What is the known vulnerability related to the Windows desktop Explorer.exe?

    <p>Loading an unprotected DLL named ntshrui.dll</p> Signup and view all the answers

    Why is analyzing AutoStart data across many systems useful?

    <p>To identify potentially compromised systems.</p> Signup and view all the answers

    What is a method to discover DLL hijacking attacks?

    <p>Performing file system forensic analysis</p> Signup and view all the answers

    Which of the following RATs is associated with DLL Side-Loading?

    <p>NetTraveler</p> Signup and view all the answers

    What is a common use case for the 'RunOnce' registry keys?

    <p>To ensure specific tasks run only once at user logon.</p> Signup and view all the answers

    Which DLL Hijacking method involves copying susceptible.exe and corresponding bad.dll to a location of choice?

    <p>Relative Path DLL Hijacking</p> Signup and view all the answers

    Which location is NOT part of the registry?

    <p>%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</p> Signup and view all the answers

    What is the first location checked in the DLL search order on modern systems with SafeDllSearchMode enabled?

    <p>DLLs already loaded in memory</p> Signup and view all the answers

    What does 'ASEP' stand for in the context of Windows security?

    <p>AutoStart Extension Points</p> Signup and view all the answers

    What is the main tactic used in phantom DLL hijacking?

    <p>Creating a malicious file with the same name as an old DLL and placing it in the search path</p> Signup and view all the answers

    What is DLL side-loading typically used to exploit?

    <p>Windows side-by-side (SxS) DLL loading mechanism</p> Signup and view all the answers

    Which of the following is a characteristic of relative path DLL hijacking?

    <p>Involves writing permissions to sensitive folders like Windows\System32</p> Signup and view all the answers

    Which mitigation strategy focuses on the use of signed DLLs?

    <p>Validate image dependency integrity</p> Signup and view all the answers

    What is the role of AppLocker/Device Guard in mitigating DLL attacks?

    <p>It limits where DLLs can be loaded</p> Signup and view all the answers

    Why is the SxS functionality vulnerable to abuse?

    <p>It allows loading updated DLLs with few validity checks</p> Signup and view all the answers

    What does the term 'bring your own executable' refer to in the context of DLL hijacking?

    <p>Copying a susceptible executable to a writable location and adding a malicious DLL</p> Signup and view all the answers

    Which feature of Microsoft Exploit Protection is mentioned as a limited mitigation?

    <p>Validate image dependency integrity</p> Signup and view all the answers

    What is the primary reason legitimate binaries are used in attacks?

    <p>They can evade security tools and allow-listing</p> Signup and view all the answers

    Which binary is used to execute commands and bypass application whitelisting?

    <p>Bash.exe</p> Signup and view all the answers

    What function does Bitsadmin.exe NOT perform?

    <p>Encode</p> Signup and view all the answers

    What makes rundll32.exe difficult to detect when used illegitimately?

    <p>It requires specific arguments and a DLL function name</p> Signup and view all the answers

    Which project collects, categorizes, and provides example usage of legitimate Windows binaries abused by attackers?

    <p>LOLBAS</p> Signup and view all the answers

    Why has there been an increase in the usage of native Windows tools for malicious purposes?

    <p>Host-based security tools have improved in detecting and preventing unsigned malicious code</p> Signup and view all the answers

    What is a key indicator that rundll32.exe might be used for malicious purposes?

    <p>It executes a DLL from an alternate data stream</p> Signup and view all the answers

    What additional information do defenders need to distinguish between legitimate and illegitimate executions of rundll32.exe?

    <p>Full command line and arguments</p> Signup and view all the answers

    Why are native Windows tools being creatively repurposed by attackers?

    <p>To mimic legitimate administrative activities</p> Signup and view all the answers

    What specific use case of Certutil.exe is commonly seen?

    <p>Downloading files and decoding obfuscated payloads</p> Signup and view all the answers

    Study Notes

    WMI Event Consumers

    • WMI allows triggers (filters) to be set that when satisfied will run scripts or executables
    • Filters can be based on time, service start, user auth, file creation, etc.
    • PowerShell or mofcomp.exe can be used for setup
    • The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

    Scheduled Tasks

    • Scheduled tasks provide an extremely granular means to create persistence in Windows
    • at.exe command has long been a core part of the hacker lexicon
    • at.exe jobs originally ran as SYSTEM regardless of the user's privilege level
    • The schtasks.exe tool is an upgraded version of at.exe with more features
    • Remote capabilities are commonly used for lateral movement and credential dumping
    • SUNSPOT implant used a scheduled task for persistence

    Malware Signing

    • Less than 3% of malware is signed
    • The number of "New Malicious Signed Binaries" is low compared to total malware
    • Malware signing is predicted to increase over time
    • Signed malware is trusted by the operating system and can stay hidden for a longer period
    • Drawbacks to signing malware include rapid development and release, and code signing certificates being flagged

    Adversary Hiding in Plain Sight

    • Common malware names include svchost.exe, iexplore.exe, explorer.exe, lsass.exe, win.exe, and winlogon.exe
    • Common malware locations include Temp folders, AppData, $Recycle.Bin, ProgramData, Windows, System32, WinSxS, System Volume Information, and Program Files
    • Adversaries often use simple names and locations to blend in with legitimate files

    WMI Event Consumer Backdoors

    • WMI Event Consumers are frequently used by malware for persistence
    • The technique requires three discrete steps: event filter creation, event consumer addition, and binding
    • PowerShell or mofcomp.exe can be used for setup
    • Event filters can be set up to trigger immediately upon being registered or via virtually any other Windows event

    Using PowerShell to Discover Suspicious WMI Events

    • PowerShell can be used to discover suspicious WMI events
    • The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

    AutoStart Persistence Locations

    • Programs that start automatically at system boot or user logon
    • Locations include NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run, SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce, and %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    DLL Hijacking Attacks

    • DLL persistence hijacks attack legitimate and legacy features of the Windows operating system
    • Search order hijacking is an excellent example
    • Adversaries can place a malicious DLL in the same folder as the target executable and trump the search order### DLL Hijacking
    • Place malicious file ahead of DLL in search order to hijack DLL loading
    • Classic example: Explorer.exe loading bad ntshrui.dll

    Phantom DLL Hijacking

    • Find DLLs that applications attempt to load, but either don't exist or can be replaced
    • Take advantage of old DLLs that applications still try to load, even when unnecessary
    • Attackers can create a malicious file with the same name as the old DLL and place it in the search path

    DLL Side-Loading

    • WinSxS mechanism provides a new version of a legit DLL
    • Attackers can abuse the loading mechanism by creating fake DLLs, using relative paths or other shortcuts
    • PlugX, NetTraveler, Sakula, Poison Ivy (RATs) are examples of malware that use this technique

    Relative Path DLL Hijacking

    • Copy susceptible.exe and corresponding bad.dll to location of choice
    • Attackers can write permissions to sensitive folders like Windows and Windows\System32 to achieve this
    • Alternative approach: copy susceptible executable from a protected folder to a writable location and add a malicious DLL

    Living off the Land Binaries (LOLBin)

    • Legitimate binaries are increasingly used to evade security tools, allow-listing, and hunting
    • Examples of LOLBin include:
      • rundll32.exe "c:\kb4549947:aclui.dll”,DllMain
      • At.exe, Atbroker.exe, Bash.exe, Bitsadmin.exe, Certutil.exe
    • The LOLBAS project collects, categorizes, and provides example usage of LOLBin

    Mitigations

    • Very few viable mitigations for this type of attack
    • Microsoft Exploit Protection feature “validate image dependency integrity" is limited in functionality
    • AppLocker/Device Guard can be used to limit where DLLs can be loaded, but this approach is only viable for very locked-down systems

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Learn about Windows security features, including WMI event consumers and scheduled tasks, used to create persistence and detect suspicious entries.

    More Like This

    Update and Security Settings Quiz
    6 questions
    Windows Password Hashing and Security
    29 questions
    Windows Security Flashcards
    20 questions
    Use Quizgecko on...
    Browser
    Browser