WMI Commands

• Get-WmiObject -class Win32_Product
  • Gets a listing of all the installed software on a machine.
• Get-WmiObject - class Win32_Account
  • Gets a listing of all the user accounts
• Get-WmiObject - class Win32_BIOS
  
  • Many times used by malware to determine if the host is a virtual machine or not.
• Set up a remote windows command
  • $command =  "ipconfig /all >> c:\users\all users\desktop\results.txt"
  • $cmd = "cmd.exe /c $command"
  • Invoke-Method -class Win32_Process -name Create -ArgumentList $cmd -ComputerName \\Desktopname\
• wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
• uses WMIC to add a user on a remote machine

Powershell Fun

•  Link Ref
  
• Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList cmd.exe 
• Invoke-CimMethod -ClassName Win32_Process -MethodName create -Arguments @{commandline="notepad.exe"}
  

 

One Attack Example

1. From a powershell command prompt, attacker launches WMIC with the intent of creating a process on the remote machine and adding a user to that remote machine.
   1. wmic /node:172.16.27.38 process call create "cmd.exe /c /net user dude /add"
2. On the remote machine wmiprvse.exe gets the call and will run the commands. To find this attack in Carbon Black, check out this search:
   1. process_name:cmd.exe AND parent_name:wmiprvse.exe AND childproc_name:net.exe cmdline:user
   2. Event IDs on the remote machine are:
      1. 4720; 4722; 4738; 4732
       
      

Some Articles from my Bookmarks

https://www.secureworks.com/blog/malware-lingers-with-bits

https://azeria-labs.com/advanced-persistent-threat/

https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations

https://www.rsaconference.com/writable/presentations/file_upload/hta-w05-tracking_hackers_on_your_network_with_sysinternals_sysmon.pdf

http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon_notes.pdf

https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters

https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
--> NOTE: this was a really good article!

http://techgenix.com/Dissecting-Pass-Hash-Attack/

Passive Reconnaissance

Some Manual Searching:

You can find some really good stuff sometimes at a site like Data.com.  It is worth it to spend some time here, and search around. Besides, accounts are free.

Tools to Consider:

Discover scripts by Lee baird

Recon-NG

Online Searches

Shodan
Google
Bing
Have I been pwned

Social Searcher

Hunter.io

Authenticated WMI Exec Via Powershell

https://packetstormsecurity.com/files/139762/Authenticated-WMI-Exec-Via-Powershell.html

This Metasploit module uses WMI execution to launch a payload instance on a remote machine. In order to avoid AV detection, all execution is performed in memory via psh-net encoded payload. Persistence option can be set to keep the payload looping while a handler is present to receive it. By default the module runs as the current process owner. The module can be configured with credentials for the remote host with which to launch the process.

3 new VMs to test with

https://www.vulnhub.com/entry/readme_1,336/

https://www.vulnhub.com/entry/jigsaw_2,337/

https://www.vulnhub.com/entry/sunset_1,339/

Exploit kits review

https://blog.malwarebytes.com/threat-analysis/2019/07/exploit-kits-summer-2019-review/

Threat actors continue to buy traffic from ad networks and use malvertising as their primary delivery method. Leveraging user profiling (their browser type and version, country of origin, etc.) from ad platforms, criminals are able to maintain decent load rates (successful infection per drive-by attempts).

fierce

Basic running of the program:
./fierce.pl -dns <domain>

Search all class C ranges found for PTR records that match the domain
./fierce.pl -wide -dns <company>

Some reverse DNS looking
./fierce.pl  -dnsserver <target_dns> -range <ipNet_range>


Some other flags:
-search -- search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found.

-threads <number> -- The number of threads to use when running the scan.

-wordlist <list.txt> -- Use an alternate word list to the default one for the application.

-file <filename.out> -- write the results of the scan to the file specified in the cmdline.

-delay <number> -- This specifies a delay, in seconds, to wait between queries.

Will the real Mr. Wang please stand up

I have started looking at this blog in the past few months, and am really enjoying it more and more these days.

In summary, Wang Qingwei, an IT security expert, advertised jobs at Jinan Fanglang using two online profiles and was also listed as the company’s official representative. He is directly linked to likely MSS Officer Guo Lin, travelling with him on multiple occasions.

#theyknowwherethisleads

Capital One has a breach

Capital One data breach hits about 6 million people in Canada, 100 million in U. S.
http://flip.it/ly1lyr

update: 2019-07-30
Wired
NPR

new logwatch

Logwatch 7.5.2
https://packetstormsecurity.com/files/153783/logwatch-7.5.2.tar.gz

look at yer logs........

symfonos: 3

https://www.vulnhub.com/entry/symfonos_3,332/

MinU: v2

https://www.vulnhub.com/entry/minu_v2,333/

A Collection of Fun WMI Things

Playing with MOF files on Windows, for fun & profit
http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html
"""
What is really interesting with WMI is that it permits to execute some code when the notification of an event occurs. The event might be a program start, an user authentication, ... or any other Windows event. A MOF file needs to be registered into the CIM/WMI repository in order to be taken into account by WMI. When registering a MOF file, the CIM class(es) it describes are indeed added into the repository.
"""
MOF files are compiled into the WMI repository using mofcomp.exe. Moreover, a MOF file that is put in the %SystemRoot%\System32\wbem\mof\ directory is automatically compiled and registered into the WMI repository. It is defined in the registry key HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\.
"""

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

https://files.sans.org/summit/Digital_Forensics_and_Incident_Response_Summit_2015/PDFs/TheresSomethingAboutWMIDevonKerr.pdf

https://www.youtube.com/watch?v=Ldzr0bfGtHc

A Quick Red Team note

Golder Tickets
Filver TicketsKerberoasting
Pykek attacks
User hunting
Forest Enumeration
Cross Forest Attacks
SID attachks
ACL Abuses
GPO Abuses

Today's Look For:

Any of instance of this User-Agents:
- Microsoft BITS/7.5 
   
rundll32.exe, shell32.dll, OpenAs_RunDLL

Jenkins can be an easy attack surface

Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks
https://blog.trendmicro.com/trendlabs-security-intelligence/jenkins-admins-relying-on-default-settings-could-put-master-at-risk-of-remote-code-execution-attacks/

KPOT v2.0 stealer silently steals credentials

New KPOT v2.0 stealer

Turla renews its arsenal with Topinambour

https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/