Jump to content

Recommended Posts

Posted (edited)

No matter what I do with custom hips, eset will not ask to block wmi from creating child process via the following commands:

Powershell:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe 


CMD:

wmic process call create "notepad.exe"

 

It had only some success, for example, when loading Adobe After Effects, hips asked if wmi should call up 'conhost.exe'. Why is this not working as intended via the aforementioned commandlines? System Informer clearly shows that notepad is a child process of wmi.

Edited by tzuzut
Posted (edited)
14 hours ago, tzuzut said:

CMD:

wmic process call create "notepad.exe"

You need to monitor WMIC startup; not child process creation. The HIPS alert Commandline will show if attempted child process creation is occurring;

Eset_WMI.thumb.png.cdd4635525e03ea090f8b0c12459a7cb.png

Ditto for powershell startup.

WMIC HIPS rule is;

Eset_WMIC.png.cb544f8a9bc5c8f571e713a790b3b20e.png

Note that MITRE's recommendation is to block WMIC execution;

Quote

M1038 Execution Prevention

Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.[139]

https://attack.mitre.org/techniques/T1047/

Edited by itman
Posted

Blueskying, what would be utterly fantastic is Eset ptogramming the HIPS to use MITRE detections as to LOL Windows binary abuse. Then one could specify in a HIPS rule to apply those detections against an abused process such as WMIC.

Posted (edited)

Also, I believe WMIC invokes the main WMI process, wmiprvse.exe, to run the target process. So in reality, it is wmiprvse.exe that is creating the child process. I have a HIPS rule to monitor for that activity.

As far as stopping WMI via PowerShell use, the best mitigation is to set Powershell to Constrained Language mode which prevents all direct use of PowerShell subassembies via .Net invocation. Also, use of Windows Defender Application Control (WDAC) auto sets Powershell to Constrained Language mode.

-Correction- PowerShell Constained Language mode won't stop this;

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe

but monitoring child process startup from wmiprvse.exe will;

Time;Application;Operation;Target;Action;Rule;Additional information
8/23/2023 3:04:21 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

Edited by itman
Posted (edited)

As far as what wmiprvse.exe child processes to monitor for;

Quote

The following is an amalgamation of several analytics that can detect a wide array of threats, ranging from red team activity to web shells to coinminers:

parent_process == wmiprvse.exe && process == ('rundll32.exe' || 'msbuild.exe' || 'powershell.exe' || 'cmd.exe' || 'mshta.exe')

https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/

Also, the article gives multiple examples of why WMIC execution should be blocked.

Edited by itman
Posted (edited)

Thanks for the excellent tips!

I originally created a scheduled task that monitored for wmic implants based on eventviewer ids, which executed a batch script (see comment) upon detection that scanned the wmic repository for consistency, and stopped the service.  The method I used previously was blocking child process of wmic.exe and wmiprvse.exe via windows exploit protections, in part because they can be used to easily bypass constrained language mode, but it doesn't offer the granularity of a hips setup, and caused compatibility issues with certain applications.   

I had months ago created a hips for both processes in eset, but neither worked when spawning a processes from cmd or powershell. I don't understand why eset can't detect this. But I guess blocking CMD and Powershell from running wmic would go a long way.

Id prefer blocking to logging... a hips/whitelist approach would be most useful in my circumstance; to immediately stop it in its tracks.  Attached is my scripts.
wmi.zip

Edited by tzuzut
Posted

 

 

Quote

monitoring child process startup from wmiprvse.exe will;

Time;Application;Operation;Target;Action;Rule;Additional information
8/23/2023 3:04:21 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

I wasn't able to get this effect for some reason... eset is not blocking it.

Posted (edited)

Oh, looks like I still have exploit protections enabled,

Arbitrary Code Guard, (AGC)

probably why I'm not seeing anything popping up.

Process '\Device\HarddiskVolume7\Windows\System32\wbem\WMIC.exe' (PID 13756) was blocked from generating dynamic code.

 

Edited by tzuzut
Posted (edited)

another tip, add audits via exploit protections; event id 3, 2, 12, 1, 

 

Quote

Process '\Device\HarddiskVolume7\Windows\System32\wbem\WMIC.exe' (PID 16968) would have been blocked from creating a child process '\??\C:\WINDOWS\system32\conhost.exe' with command line '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1'.

 

Edited by tzuzut
Posted

I'll have to disable AGC and then test your suggestions, this requires a restart so I'll post my results as I find the time.

Posted (edited)

So, oddly, I am getting inconsistent results with windows. I've disabled exploit protections for wmic, and restarted the service, and though it claims notepad launch was successful, it does not appear, not even temporarily, according to task manager.  At times it does; perhaps on a fresh boot of windows. I had strange issues like this before... and other issues, where exploit protection child process blocking for wmic would work on one windows system and only partially on another. On one system it worked for wmic.exe only, but not the powershell command. In the other system, it blocked both. I tried disabling the following attack surface reduction rule as well, but the same issue (if it is one) persists. I'm not sure if attack surface reduction rules actually work when using a third party av.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

image.png.bf8aa7ba8e3bbaf9365cf7c9b66cdd16.png

Edited by tzuzut
Posted
7 hours ago, tzuzut said:

I'm not sure if attack surface reduction rules actually work when using a third party av.

ASR rules are only applicable when Microsoft Defender is the active real-time protection solution.

Posted
10 hours ago, tzuzut said:

I wasn't able to get this effect for some reason... eset is not blocking it.

When I tested this;

On 8/22/2023 at 8:17 PM, tzuzut said:
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe 

I ran it from the PowerShell GUI. Are you running this from a script? If so, post the script you are using.

Posted

I run it Just from a powershell terminal

Posted (edited)

I get the following error in eventviewer, with both the Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe and wmic process call create "notepad.exe" commands. They only open notepad one time on an a clean boot, then the error persists each consecutive execution from then on. Initially when it works, it appears to load the legacy notepad, with an option to open the 'updated' version.
 

0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe because an error was encountered while adjusting the token. [GetPackageToken]



image.png.ddbf442d8512e6d31bd8641bdae6ff19.png

Edited by tzuzut
Posted (edited)
3 hours ago, tzuzut said:
0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe 

That error code is associated with a Win Update error. Refer to this article: https://learn.microsoft.com/en-us/answers/questions/1022056/error-0x80070005 ;

Quote

The error 0x80070005 occurs when the system or user lacks the required files or permissions to change settings at the time of the Windows update.

It is possible that Microsoft Store is corrupted;

Quote

Solution 3

Reinstall the Microsoft Store.

1-Right click on Start.
2-Click on Windows PowerShell(admin)
3-Type:
Get-AppXPackage -allusers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} and press ENTER.
4-Reboot your pc and try open the Microsoft Store.

Edited by itman
Posted (edited)
14 hours ago, tzuzut said:

I run it Just from a powershell terminal

As shown below, my Eset HIPS rule to monitor child process startup from wmiprvse.exe does detect this PowerShell activity;

Eset_Powershell.thumb.png.a82d0884eb220139de99872799459555.png

-EDIT- I believe I know what may be the issue.

You reference this in your posting;

package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe 

Now when I run;

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe 

what is being run from being run from PowerShell via WMI is the default Win notepad.exe app;

Quote

Time;Application;Operation;Target;Action;Rule;Additional information
8/31/2023 9:41:47 AM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe;

Did you update Win 10/11 to use notepad++ or download a notepad app from the Win Store app instead of the Win default notepad.exe? I believe this is why the detection of the wmiprvse.exe child process detection is failing for you. Also note that multiple unpatched vulnerabilities exist for notepad++: https://cybersecuritynews.com/multiple-notepad-flaw/

Use calc.exe in your test instead of notepad.exe

Edited by itman
Posted (edited)

I also found this Microsoft posting: https://answers.microsoft.com/en-us/windows/forum/all/cant-open-notepad-by-using-run-command/df43ca46-8450-47c7-ae33-446086a27502 indicating there is an issue when a Microsoft Store version of notepad is installed. The issue appears related to when notepad is run other than by direct invocation of it. This confirms what I posted above.

Note that in Win 11, Microsoft replaced the classic notepad .exe in System32 directory with a MS Store version. It appears MS Store apps can't be run via PowerShell;

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList

method which makes sense since MS Store apps are run from an applicable service.

Ref.: https://stackoverflow.com/questions/68907012/how-to-open-installed-microsoft-store-apps-from-powershell

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...