Windows Security: WMI Event Consumers and Scheduled Tasks

Questions and Answers

What does a MOF file do in the context of WMI?

• Installs antivirus software
• Deletes system logs
• Creates a WMI event filter and consumer (correct)
• Generates random encryption keys

Which tool can be used to identify WMI event filters and consumers?

• Metasploit
• Autoruns (correct)
• Nmap
• Wireshark

What is the purpose of the Get-WmiObject PowerShell cmdlet?

• To back up system files
• To identify and help remove suspicious WMI entries (correct)
• To create encryption keys
• To capture network traffic

What is the name given to the WMI event filter in the provided MOF file?

GenericFilter (C)

Which query language is used in the event filter specified in the MOF file?

WQL (D)

What is the command line template used by the CommandLineEventConsumer in the MOF file?

C:\windows\evil.exe (B)

What is the purpose of the #PRAGMA AUTORECOVER directive in the MOF file?

Ensures the script will recover from errors automatically (B)

Which event is being monitored in the MOF file's event filter?

_InstanceModificationEvent (D)

Which command can be used to schedule tasks on a remote system?

schtasks.exe (A), at.exe (C)

In which directory are .job files for scheduled tasks stored in Windows 7?

C:\Windows\System32\Tasks (B), C:\Windows\Tasks (D)

Which scheduled task utility offers more features and fine control?

schtasks.exe (D)

For which Windows version was a dedicated event log, 'Task Scheduler Operational,' added for logging scheduled tasks?

Windows Vista (A)

Which file records task information in Windows XP?

C:\Windows\Schedlgu.txt (D)

What was the persistence mechanism used by the SUNSPOT malware in the SolarWinds attack?

Scheduled tasks (A)

What type of attacks can remote scheduled tasks aid in?

Credential dumping (C)

Which tool would you use to collect currently scheduled jobs on a Windows system?

Autoruns (A)

What is the percentage range of signed malware according to the McAfee 2019 Threat Report?

1-3% (D)

Which of the following is a benefit of signing malware?

Allows malware to stay hidden longer by being trusted (B)

Why might malware authors avoid signing their malware?

It avoids burning a family of malware if the certificate is revoked (C)

Which of the following strategies is recommended for examining suspicious code?

Initially examining all unsigned code (A)

What percentage of malware samples was typically signed in some quarters?

Less than 1% (B)

What main advantage does signed malware provide for espionage purposes?

Longer undetected presence (C)

Which of the following is NOT a common name for malware?

services.exe (B)

What is a significant drawback of signing malware for rapid development?

Slows down the release process (A)

Which folder is least likely to house malware?

\Documents (B)

Which folder is mentioned as being suspicious for unsigned code?

Windows\System32 folder (B)

What is an example of a common malware tactic to hide its activity?

Process hollowing (B)

Why does the name 'svchost.exe' make for an effective disguise for malware?

It is commonly seen with many instances running (C)

Which location would be suspicious for executable files to run from?

$Recycle.Bin (A)

What feature of a standard Microsoft Windows system contributes to malware's ability to 'hide in plain sight'?

The vast number of files and folders (B)

Which of the following is NOT a common location for malware on Windows systems?

\Users\Public (B)

What tool can provide statistics to help identify trends in malware locations and names?

VirusTotal (C)

What are the three main components needed for setting up a WMI Event Consumer Backdoor?

Event Filter, Event Consumer, Binding (A)

What privilege level do WMI consumers run with?

SYSTEM (D)

What tool can be used to identify and help remove suspicious WMI entries?

Get-WmiObject (C)

Which malware was mentioned as possibly the first to use the WMI Event Consumer Backdoor?

Stuxnet (C)

What is the purpose of the binding component in a WMI Event Consumer backdoor?

To connect the event filter and event consumer (D)

What is a MOF file used for in the context of WMI Event Consumers?

To register new classes into the WMI repository (D)

Which tool was NOT mentioned for setting up WMI Event Consumers?

System Center Configuration Manager (A)

Why is WMI often overlooked by security professionals despite its powerful capabilities?

Because its scope of functionality is not widely recognized (A)

Which PowerShell command can be used to query WMI event filters in the 'root\Subscription' namespace?

Get-WMIObject -Namespace root\Subscription -Class _EventFilter (D)

Why is PowerShell considered an obvious choice for detecting attacks like WMI event consumers?

It provides native support for WMI and easy scalability. (C)

What makes it possible to detect WMI threats without fancy tools?

Basic PowerShell commands (B)

What class should you query with PowerShell to gather WMI event consumers?

_EventConsumer (A)

Which namespace should be queried in addition to 'root\Subscription' to detect WMI event consumers?

root\Default (D)

What is likely the intention behind using non-standard namespaces for WMI event consumers?

Evasion of detection by defenders (D)

When querying WMI classes for detection, what is recommended if you cannot allowlist standard false positives?

Query using a more specific class parameter (D)

Which of the following classes should be queried to bind event filters to consumers?

_FilterToConsumerBinding (B)

What is the main purpose of identifying AutoStart Persistence Locations?

To find programs that start automatically at system boot or user logon. (D)

Which registry key is NOT typically used to automatically start programs when a user logs on?

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (A)

Which of the following mechanisms allows a new version of a legitimate DLL to be provided?

DLL Side-Loading (B)

What would be the likely consequence of modifying the Userinit registry key to include a malicious binary?

The malicious binary would execute at boot. (B)

Which of the following describes why the %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup location is used by attackers?

Creating persistence here does not require administrator rights. (C)

What is the main characteristic of Phantom DLL Hijacking?

Replacing or creating DLLs that applications attempt to load but either don't exist or can be replaced (C)

Which option is not part of the typical DLL search order with SafeDllSearchMode enabled?

Network location (D)

Which AutoStart Persistence Location is located in the file system rather than the registry?

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (D)

What is the significance of the 'run' registry keys according to the content?

They execute items when a user logs on. (B)

What is the known vulnerability related to the Windows desktop Explorer.exe?

Loading an unprotected DLL named ntshrui.dll (D)

Why is analyzing AutoStart data across many systems useful?

To identify potentially compromised systems. (A)

What is a method to discover DLL hijacking attacks?

Performing file system forensic analysis (C)

Which of the following RATs is associated with DLL Side-Loading?

NetTraveler (C)

What is a common use case for the 'RunOnce' registry keys?

To ensure specific tasks run only once at user logon. (D)

Which DLL Hijacking method involves copying susceptible.exe and corresponding bad.dll to a location of choice?

Relative Path DLL Hijacking (C)

Which location is NOT part of the registry?

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (B)

What is the first location checked in the DLL search order on modern systems with SafeDllSearchMode enabled?

DLLs already loaded in memory (A)

What does 'ASEP' stand for in the context of Windows security?

AutoStart Extension Points (A)

What is the main tactic used in phantom DLL hijacking?

Creating a malicious file with the same name as an old DLL and placing it in the search path (B)

What is DLL side-loading typically used to exploit?

Windows side-by-side (SxS) DLL loading mechanism (D)

Which of the following is a characteristic of relative path DLL hijacking?

Involves writing permissions to sensitive folders like Windows\System32 (C)

Which mitigation strategy focuses on the use of signed DLLs?

Validate image dependency integrity (D)

What is the role of AppLocker/Device Guard in mitigating DLL attacks?

It limits where DLLs can be loaded (A)

Why is the SxS functionality vulnerable to abuse?

It allows loading updated DLLs with few validity checks (B)

What does the term 'bring your own executable' refer to in the context of DLL hijacking?

Copying a susceptible executable to a writable location and adding a malicious DLL (D)

Which feature of Microsoft Exploit Protection is mentioned as a limited mitigation?

Validate image dependency integrity (B)

What is the primary reason legitimate binaries are used in attacks?

They can evade security tools and allow-listing (A)

Which binary is used to execute commands and bypass application whitelisting?

Bash.exe (D)

What function does Bitsadmin.exe NOT perform?

Encode (C)

What makes rundll32.exe difficult to detect when used illegitimately?

It requires specific arguments and a DLL function name (D)

Which project collects, categorizes, and provides example usage of legitimate Windows binaries abused by attackers?

LOLBAS (B)

Why has there been an increase in the usage of native Windows tools for malicious purposes?

Host-based security tools have improved in detecting and preventing unsigned malicious code (C)

What is a key indicator that rundll32.exe might be used for malicious purposes?

It executes a DLL from an alternate data stream (C)

What additional information do defenders need to distinguish between legitimate and illegitimate executions of rundll32.exe?

Full command line and arguments (C)

Why are native Windows tools being creatively repurposed by attackers?

To mimic legitimate administrative activities (B)

What specific use case of Certutil.exe is commonly seen?

Downloading files and decoding obfuscated payloads (B)

Flashcards are hidden until you start studying

Study Notes

WMI Event Consumers

• WMI allows triggers (filters) to be set that when satisfied will run scripts or executables
• Filters can be based on time, service start, user auth, file creation, etc.
• PowerShell or mofcomp.exe can be used for setup
• The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

Scheduled Tasks

• Scheduled tasks provide an extremely granular means to create persistence in Windows
• at.exe command has long been a core part of the hacker lexicon
• at.exe jobs originally ran as SYSTEM regardless of the user's privilege level
• The schtasks.exe tool is an upgraded version of at.exe with more features
• Remote capabilities are commonly used for lateral movement and credential dumping
• SUNSPOT implant used a scheduled task for persistence

Malware Signing

• Less than 3% of malware is signed
• The number of "New Malicious Signed Binaries" is low compared to total malware
• Malware signing is predicted to increase over time
• Signed malware is trusted by the operating system and can stay hidden for a longer period
• Drawbacks to signing malware include rapid development and release, and code signing certificates being flagged

Adversary Hiding in Plain Sight

• Common malware names include svchost.exe, iexplore.exe, explorer.exe, lsass.exe, win.exe, and winlogon.exe
• Common malware locations include Temp folders, AppData, $Recycle.Bin, ProgramData, Windows, System32, WinSxS, System Volume Information, and Program Files
• Adversaries often use simple names and locations to blend in with legitimate files

WMI Event Consumer Backdoors

• WMI Event Consumers are frequently used by malware for persistence
• The technique requires three discrete steps: event filter creation, event consumer addition, and binding
• PowerShell or mofcomp.exe can be used for setup
• Event filters can be set up to trigger immediately upon being registered or via virtually any other Windows event

Using PowerShell to Discover Suspicious WMI Events

• PowerShell can be used to discover suspicious WMI events
• The PowerShell cmdlet "Get-WmiObject" can identify and help remove suspicious entries

AutoStart Persistence Locations

• Programs that start automatically at system boot or user logon
• Locations include NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run, SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce, and %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

DLL Hijacking Attacks

• DLL persistence hijacks attack legitimate and legacy features of the Windows operating system
• Search order hijacking is an excellent example
• Adversaries can place a malicious DLL in the same folder as the target executable and trump the search order### DLL Hijacking
• Place malicious file ahead of DLL in search order to hijack DLL loading
• Classic example: Explorer.exe loading bad ntshrui.dll

Phantom DLL Hijacking

• Find DLLs that applications attempt to load, but either don't exist or can be replaced
• Take advantage of old DLLs that applications still try to load, even when unnecessary
• Attackers can create a malicious file with the same name as the old DLL and place it in the search path

DLL Side-Loading

• WinSxS mechanism provides a new version of a legit DLL
• Attackers can abuse the loading mechanism by creating fake DLLs, using relative paths or other shortcuts
• PlugX, NetTraveler, Sakula, Poison Ivy (RATs) are examples of malware that use this technique

Relative Path DLL Hijacking

• Copy susceptible.exe and corresponding bad.dll to location of choice
• Attackers can write permissions to sensitive folders like Windows and Windows\System32 to achieve this
• Alternative approach: copy susceptible executable from a protected folder to a writable location and add a malicious DLL

Living off the Land Binaries (LOLBin)

• Legitimate binaries are increasingly used to evade security tools, allow-listing, and hunting
• Examples of LOLBin include:
  • rundll32.exe "c:\kb4549947:aclui.dll”,DllMain
  • At.exe, Atbroker.exe, Bash.exe, Bitsadmin.exe, Certutil.exe
• The LOLBAS project collects, categorizes, and provides example usage of LOLBin

Mitigations

• Very few viable mitigations for this type of attack
• Microsoft Exploit Protection feature “validate image dependency integrity" is limited in functionality
• AppLocker/Device Guard can be used to limit where DLLs can be loaded, but this approach is only viable for very locked-down systems