logo

Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs

Conference:  Black Hat USA 2022

2022-08-10

Summary

WMI-based User-Space Attacks Blind SIEMs and EDRs
  • Windows Management Instrumentation (WMI) is a built-in feature designed to manage enterprise infrastructure and provide detailed diagnostics: hardware, firmware, software, and configurations both locally and remotely.
  • WMI is deeply integrated into Windows user-mode apps and kernel drivers and provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events.
  • WMI is vulnerable by design since it is leveraged for malware persistence and arbitrary code execution. Malware countermeasures can disable WMI, making these defense solutions useless.
  • The core vulnerability of WMI is that the DLLs loaded into the WMI core process (WinMgmt), leverage 'flags' to perform WMI operations. Attackers can block the access to WMI by modifying these flags. There are no built-in features to block these attacks or repair WMI.
  • Our Security Sensor detects such attacks by inspecting the memory of WMI core service and can disclose other attacks on Windows OS components including privilege escalation, token hijacking, and ETW blinding.
  • Some solutions like WMI check and the memory Ranger can detect and prevent some of the attacks that will be presented in this presentation.
At Black Hat Europe 2021, the Binary team publicly showed how to blind an entire class of endpoint security products by disabling ETW. Their current research focus is on WMI, which allows filtering without registering kernel callbacks. WMI is critical for solutions such as EDRs, AVs, SIEMs. However, WMI is vulnerable by design since it is leveraged for malware persistence and arbitrary code execution. Malware countermeasures can disable WMI, making these defense solutions useless.

Abstract

Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind. At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks. WMI is a built-in feature designed to manage enterprise infrastructure and provide detailed diagnostics: hardware, firmware, software, and configurations both locally and remotely. WMI is deeply integrated into Windows user-mode apps and kernel drivers. WMI provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events. These features make WMI critical for solutions such as EDRs, AVs, SIEMs.The bad news: WMI is vulnerable by design since it is leveraged for malware persistence (APT41, FIN6) and arbitrary code execution (APT29, Stuxnet). Malware countermeasures can disable WMI, making these defense solutions useless. We will provide an analysis of the WMI architecture by reversing user-mode variables and functions from DLLs to demonstrate several new user-mode attacks.The core vulnerability of WMI is that the DLLs loaded into the WMI core process (WinMgmt), leverage "flags" to perform WMI operations. Attackers can block the access to WMI - receiving new OS events, installing new WMI filters - by modifying these flags. There are no built-in features to block these attacks or repair WMI. Our Security Sensor detects such attacks by inspecting the memory of WMI core service and can disclose other attacks on Windows OS components including privilege escalation, token hijacking, and ETW blinding. These attacks impact all versions of Windows, which is crucial for the design of the core features of WMI.

Materials:

Tags: