tzuzut 0 Posted August 23, 2023 Posted August 23, 2023 (edited) No matter what I do with custom hips, eset will not ask to block wmi from creating child process via the following commands: Powershell: Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe CMD: wmic process call create "notepad.exe" It had only some success, for example, when loading Adobe After Effects, hips asked if wmi should call up 'conhost.exe'. Why is this not working as intended via the aforementioned commandlines? System Informer clearly shows that notepad is a child process of wmi. Edited August 23, 2023 by tzuzut
itman 1,801 Posted August 23, 2023 Posted August 23, 2023 (edited) 14 hours ago, tzuzut said: CMD: wmic process call create "notepad.exe" You need to monitor WMIC startup; not child process creation. The HIPS alert Commandline will show if attempted child process creation is occurring; Ditto for powershell startup. WMIC HIPS rule is; Note that MITRE's recommendation is to block WMIC execution; Quote M1038 Execution Prevention Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.[139] https://attack.mitre.org/techniques/T1047/ Edited August 23, 2023 by itman tzuzut 1
itman 1,801 Posted August 23, 2023 Posted August 23, 2023 Blueskying, what would be utterly fantastic is Eset ptogramming the HIPS to use MITRE detections as to LOL Windows binary abuse. Then one could specify in a HIPS rule to apply those detections against an abused process such as WMIC. tzuzut 1
itman 1,801 Posted August 23, 2023 Posted August 23, 2023 (edited) Also, I believe WMIC invokes the main WMI process, wmiprvse.exe, to run the target process. So in reality, it is wmiprvse.exe that is creating the child process. I have a HIPS rule to monitor for that activity. As far as stopping WMI via PowerShell use, the best mitigation is to set Powershell to Constrained Language mode which prevents all direct use of PowerShell subassembies via .Net invocation. Also, use of Windows Defender Application Control (WDAC) auto sets Powershell to Constrained Language mode. -Correction- PowerShell Constained Language mode won't stop this; Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe but monitoring child process startup from wmiprvse.exe will; Time;Application;Operation;Target;Action;Rule;Additional information 8/23/2023 3:04:21 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe; Edited August 23, 2023 by itman tzuzut 1
itman 1,801 Posted August 23, 2023 Posted August 23, 2023 (edited) As far as what wmiprvse.exe child processes to monitor for; Quote The following is an amalgamation of several analytics that can detect a wide array of threats, ranging from red team activity to web shells to coinminers: parent_process == wmiprvse.exe && process == ('rundll32.exe' || 'msbuild.exe' || 'powershell.exe' || 'cmd.exe' || 'mshta.exe') https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/ Also, the article gives multiple examples of why WMIC execution should be blocked. Edited August 23, 2023 by itman tzuzut 1
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 (edited) Thanks for the excellent tips! I originally created a scheduled task that monitored for wmic implants based on eventviewer ids, which executed a batch script (see comment) upon detection that scanned the wmic repository for consistency, and stopped the service. The method I used previously was blocking child process of wmic.exe and wmiprvse.exe via windows exploit protections, in part because they can be used to easily bypass constrained language mode, but it doesn't offer the granularity of a hips setup, and caused compatibility issues with certain applications. I had months ago created a hips for both processes in eset, but neither worked when spawning a processes from cmd or powershell. I don't understand why eset can't detect this. But I guess blocking CMD and Powershell from running wmic would go a long way. Id prefer blocking to logging... a hips/whitelist approach would be most useful in my circumstance; to immediately stop it in its tracks. Attached is my scripts.wmi.zip Edited August 29, 2023 by tzuzut
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 Quote monitoring child process startup from wmiprvse.exe will; Time;Application;Operation;Target;Action;Rule;Additional information 8/23/2023 3:04:21 PM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe; I wasn't able to get this effect for some reason... eset is not blocking it.
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 (edited) Oh, looks like I still have exploit protections enabled, Arbitrary Code Guard, (AGC) probably why I'm not seeing anything popping up. Process '\Device\HarddiskVolume7\Windows\System32\wbem\WMIC.exe' (PID 13756) was blocked from generating dynamic code. Edited August 29, 2023 by tzuzut
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 (edited) another tip, add audits via exploit protections; event id 3, 2, 12, 1, Quote Process '\Device\HarddiskVolume7\Windows\System32\wbem\WMIC.exe' (PID 16968) would have been blocked from creating a child process '\??\C:\WINDOWS\system32\conhost.exe' with command line '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1'. Edited August 29, 2023 by tzuzut
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 I'll have to disable AGC and then test your suggestions, this requires a restart so I'll post my results as I find the time.
tzuzut 0 Posted August 29, 2023 Author Posted August 29, 2023 (edited) So, oddly, I am getting inconsistent results with windows. I've disabled exploit protections for wmic, and restarted the service, and though it claims notepad launch was successful, it does not appear, not even temporarily, according to task manager. At times it does; perhaps on a fresh boot of windows. I had strange issues like this before... and other issues, where exploit protection child process blocking for wmic would work on one windows system and only partially on another. On one system it worked for wmic.exe only, but not the powershell command. In the other system, it blocked both. I tried disabling the following attack surface reduction rule as well, but the same issue (if it is one) persists. I'm not sure if attack surface reduction rules actually work when using a third party av.https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide Edited August 29, 2023 by tzuzut
itman 1,801 Posted August 29, 2023 Posted August 29, 2023 7 hours ago, tzuzut said: I'm not sure if attack surface reduction rules actually work when using a third party av. ASR rules are only applicable when Microsoft Defender is the active real-time protection solution.
itman 1,801 Posted August 29, 2023 Posted August 29, 2023 10 hours ago, tzuzut said: I wasn't able to get this effect for some reason... eset is not blocking it. When I tested this; On 8/22/2023 at 8:17 PM, tzuzut said: Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe I ran it from the PowerShell GUI. Are you running this from a script? If so, post the script you are using.
tzuzut 0 Posted August 31, 2023 Author Posted August 31, 2023 I run it Just from a powershell terminal
tzuzut 0 Posted August 31, 2023 Author Posted August 31, 2023 (edited) I get the following error in eventviewer, with both the Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe and wmic process call create "notepad.exe" commands. They only open notepad one time on an a clean boot, then the error persists each consecutive execution from then on. Initially when it works, it appears to load the legacy notepad, with an option to open the 'updated' version. 0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe because an error was encountered while adjusting the token. [GetPackageToken] Edited August 31, 2023 by tzuzut
itman 1,801 Posted August 31, 2023 Posted August 31, 2023 (edited) 3 hours ago, tzuzut said: 0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe That error code is associated with a Win Update error. Refer to this article: https://learn.microsoft.com/en-us/answers/questions/1022056/error-0x80070005 ; Quote The error 0x80070005 occurs when the system or user lacks the required files or permissions to change settings at the time of the Windows update. It is possible that Microsoft Store is corrupted; Quote Solution 3 Reinstall the Microsoft Store. 1-Right click on Start. 2-Click on Windows PowerShell(admin) 3-Type: Get-AppXPackage -allusers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} and press ENTER. 4-Reboot your pc and try open the Microsoft Store. Edited August 31, 2023 by itman
itman 1,801 Posted August 31, 2023 Posted August 31, 2023 (edited) 14 hours ago, tzuzut said: I run it Just from a powershell terminal As shown below, my Eset HIPS rule to monitor child process startup from wmiprvse.exe does detect this PowerShell activity; -EDIT- I believe I know what may be the issue. You reference this in your posting; package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe Now when I run; Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe what is being run from being run from PowerShell via WMI is the default Win notepad.exe app; Quote Time;Application;Operation;Target;Action;Rule;Additional information 8/31/2023 9:41:47 AM;C:\Windows\System32\wbem\WmiPrvSE.exe;Start new application;C:\WINDOWS\system32\notepad.exe;Blocked;Deny child processes started from WmiPrvSE.exe; Did you update Win 10/11 to use notepad++ or download a notepad app from the Win Store app instead of the Win default notepad.exe? I believe this is why the detection of the wmiprvse.exe child process detection is failing for you. Also note that multiple unpatched vulnerabilities exist for notepad++: https://cybersecuritynews.com/multiple-notepad-flaw/ Use calc.exe in your test instead of notepad.exe Edited August 31, 2023 by itman
itman 1,801 Posted September 1, 2023 Posted September 1, 2023 (edited) I also found this Microsoft posting: https://answers.microsoft.com/en-us/windows/forum/all/cant-open-notepad-by-using-run-command/df43ca46-8450-47c7-ae33-446086a27502 indicating there is an issue when a Microsoft Store version of notepad is installed. The issue appears related to when notepad is run other than by direct invocation of it. This confirms what I posted above. Note that in Win 11, Microsoft replaced the classic notepad .exe in System32 directory with a MS Store version. It appears MS Store apps can't be run via PowerShell; Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList method which makes sense since MS Store apps are run from an applicable service. Ref.: https://stackoverflow.com/questions/68907012/how-to-open-installed-microsoft-store-apps-from-powershell Edited September 1, 2023 by itman
Recommended Posts