In my previous blog post I covered how Microsoft has enhanced WMI logging in the latest versions of their client and server operating systems. WMI Permanent event logging was also added in version 6.10 specific events for logging permanent event actions. The new events are:
- Event ID 19: WmiEvent (WmiEventFilter activity detected). When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
- Event ID 20: WmiEvent (WmiEventConsumer activity detected). This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
- Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected). When a consumer binds to a filter, this event logs the consumer name and filter path
In version 6.10 it tracks the creation and deletion of __EventFilter Class, Any Consumer Type Class and __FilterToConsumerBinding Class.Read More
WMI (Windows Management Instrumentation) has been part of the Windows Operating System since since Windows 2000 when it was included in the OS. The technology has been of great value to system administrators by providing ways to pull all types of information, configure components and take action based on state of several components of the OS. Due to this flexibility it has been abused by attackers that saw its potential since it early inclusion in the OS.
As security practitioners it is one of the technologies on Microsoft Windows that is of great importance to master. Until recently there was little to now logging of the actions one could take using WMI. Blue Teams where left leveraging third party tools or coding their own solution to cover gaps, this allowed for many year the abuse of WMI by Red Teams simulating the very actions that attackers of all kind have used in their day to day operation. We will take a look at how Microsoft improved the logging of WMI actions.Read More
This last couple of day the headline has been the WannaCry ransomeware worm. I have seen many discussion about the technical aspects of it, about the disclosure of the vulnerability and debates of who is at fault for its widespread effect (Microsoft, NSA, Shadow Brokers ..etc). Yet the big elephant in the room remains that this is history that will repeat it self. The main reason that it will repeat it self is the gap of knowledge of those using technology and the speed at which attacks and tools can spread in the internet.
In essence the vulnerability affect the SMBv1 protocol from Microsoft that is included with all versions of Windows and it is enabled. Microsoft released a patch for the vulnerability as MS17-010 ON March 14, 2017. The patch was marked as critical, remote code execution and it affected all version of Windows with a CVSS score of 9.3. I work for a security vendor and I manage a team of reverse engineers that write the remote checks, as soon as we saw this we started working on it and where able to reach the vulnerable sections in less that a week and got a check for it out the door, we quickly new this had the potential to be as big as MS08-67. On April 7 Shadow Brokers releases a trove of tools from the NSA and they contain an exploit for this vulnerability among others called ETERNALBLUE, the tools where analyzed by researches that published tutorials on how to use the tools and expand upon them. Shortly after the release thousands of exposed boxes in the internet started to be compromised by the vulnerability.Read More
Recently Tavis Ormandy a well known vulnerability researcher from Google made a tweet about a vulnerability he and researcher Natalie Silvanovich from Google Project Zero found on the Windows OS that could be wormable.
The reaction from many organizations has been from one extreme all the way to the other side, where some are panicking and to the other side they simply take it as a nice to know heads up. So what is the difference between this different organizations? I would say a lot.Read More