Abusing Windows Management Instrumentation (WMI) to Build a Persistent Asynchronous and Fileless Backdoor

Black Hat USA 2015

Presented by: Matthew Graeber
Date: Wednesday August 05, 2015
Time: 16:20 - 17:10
Location: Mandalay Bay EF

Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI).

With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events.This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.

Matthew Graeber

Matt Graeber is a Staff Reverse Engineer at FireEye with a varied background in reverse engineering, red teaming, and offensive tool development. Since joining FireEye, Matt has reversed a vast quantity of targeted and commodity malware samples and served as an instructor of Mandiant's Advanced Malware Analysis course. In his spare time, he develops an offensive and reverse engineering framework for PowerShell:PowerSploit and PowerShellArsenal, respectively. He has also been designated a Microsoft 'Most Valuable Professional' (MVP) in PowerShell. Matt regularly advocates a minimalist approach to offensive security that relies primarily upon using the built-in tools already present in a target environment.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats