Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind.
At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks. WMI is a built-in feature designed to manage enterprise infrastructure and provide detailed diagnostics: hardware, firmware, software, and configurations both locally and remotely. WMI is deeply integrated into Windows user-mode apps and kernel drivers. WMI provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important OS events. These features make WMI critical for solutions such as EDRs, AVs, SIEMs.
The bad news: WMI is vulnerable by design since it is leveraged for malware persistence (APT41, FIN6) and arbitrary code execution (APT29, Stuxnet). Malware countermeasures can disable WMI, making these defense solutions useless. We will provide an analysis of the WMI architecture by reversing user-mode variables and functions from DLLs to demonstrate several new user-mode attacks.
The core vulnerability of WMI is that the DLLs loaded into the WMI core process (WinMgmt), leverage "flags" to perform WMI operations. Attackers can block the access to WMI - receiving new OS events, installing new WMI filters - by modifying these flags. There are no built-in features to block these attacks or repair WMI. Our Security Sensor detects such attacks by inspecting the memory of WMI core service and can disclose other attacks on Windows OS components including privilege escalation, token hijacking, and ETW blinding. These attacks impact all versions of Windows, which is crucial for the design of the core features of WMI.