Blinding Endpoint Security Solutions: WMI attack vectors

Claudiu Teodorescu

Abstract :

WMI provides tremendous opportunities for various EDR/AV/SIEM and malware sandbox solutions for hunting threats. It is crucial to understand the attacks on WMI because these attack vectors disable a whole class of security solutions that rely on such telemetry. This new research will showcase several never-seen attacks on WMI, involving user and kernel mode attack vectors. This continues the research presented at Black Hat USA 2022 where the Binarly team already presented eight attacks on WMI ecosystem. The following attacks are based on patching user-mode memory flags from WMI DLLs: - The first attack is based on patching wbemcore!CRepository::m_pEseSession variable. Previously registered callback routines continue receiving events. All attempts to connect to the WMI infrastructure fail with 0x8004100A error code. - The second attack is based tampering with wbemcore!CRepository::m_pEseRoot. As a result, access to the WMI will be blocked. - The third attack is based on patching wbemcomm!CWbemInstallObject::m_bOffline flag. As a result, all attempts to connect to the WMI infrastructure fail with 0x80041001 error code.

One more vector of attack on WMI is to manipulate ALPC handles that are used to transport WMI events and control WMI clients: - Closing ALPC handles of the WMI clients results in preventing them from receiving new WMI events. - Closing ALPC handle for the WMI service (winmgmt) results in stopping receiving events for all previously registered callback routines. All attempts to connect to the WMI infrastructure fail with 0x800706BF error code.

Both types of attacks on WMI demonstrate that self-protection mechanisms of WMI are inadequate for advanced attacks. WmiCheck is a new security tool that detects various attacks on the OS, including the new ones covered in this talk. This tool will be presented and made publicly available. Finally, the analysis of the weaknesses of WMI architecture and finding a reliable solution for collecting OS events will become a group discussion.

Speaker:  Claudiu Teodorescu

Claudiu Teodorescu is CTO AND Co-founder of Binarly, a Los Angeles based device security startup. He has an extensive background in Computer Forensics, Cryptography, Reverse Engineering, and Program Analysis.

While at Cylance, he focused on program analysis to augment the ML models feature space with code-specific artifacts. Prior to Cylance, Claudiu worked for FireEye, in the FLARE (FireEye Labs Advanced Reverse Engineering) team as a Sr. Reverse Engineer, leading research projects such as WMI and Application Compatibility based malware persistence, Windows 10 RAM page compression, and also serving as an instructor of FLARE’s Advanced Malware Analysis course (Black Hat USA 2015, 2016).

Claudiu is the author of the WMI-parser tool to help IR teams forensically identify malware persistence.