Friday, June 9, 2017

GHOSTS IN THE WMI


Cybercriminals and APT actors know very well that when security researchers discover files, registry entries and other attacker trials, the operation is disrupted and a valuable toolkit is burned. Having a malware sample in hands gives researchers lots of important information on how an attack was conducted, what possibly was touched by the threat actor and sometimes even the C2 infrastructure and other data that can lead to attribution. However, when there is no sample available, investigation and forensics become an extremely tricky task. That's why fileless malware becomes more and more popular among high profile APT actors. One of the methods for achieving this goal is using the WMI mechanism built into each version of Windows since Windows 95. WMI is the powerful mechanism that gives administrators the ability to manage Windows hosts in the network both locally and remotely. If we talk about fileless malware, WMI is a nice choice because of three factors: the attacker instantly knows everything about the victim's machine, can execute code based on any event in the system and most importantly, WMI objects are stored in a special database, so there is no file to scan. Most likely, the first known example of usage of WMI in APT attack was Stuxnet. Since then these techniques were used quite rarely by attackers but each year we are discovering new methods based on WMI. In 2016 we had several cases of targeted attacks where WMI was used to perform fileless intrusions in high profile target networks. This presentation will go through several real world cases where WMI malware was used and take a look at attackers tricks arsenal and discuss how to detect and protect against such things.
by Kaspersky Lab via Endless Supplies .Us - Brands

No comments: