Windows management instrumentation (WMI) security

Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they use legitimate system software and one of it is called the Windows Management Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert. There is no doubt that WMI based at...

Full description

Saved in:
Bibliographic Details
Main Author: Chew, Zhi Jie
Other Authors: Lam Kwok Yan
Format: Final Year Project
Language:English
Published: 2018
Subjects:
Online Access:http://hdl.handle.net/10356/74189
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they use legitimate system software and one of it is called the Windows Management Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert. There is no doubt that WMI based attack or even fileless attack will become more popular. Hence, there is a need to create a more sophisticated software to protect against WMI based attack. The purpose of the study is to create a WMI-based penetration testing tool and a protection software to protect against WMI attacks. The study focuses on how WMI can be abused and how to protect against WMI based attacks. The created penetration testing tool is tested on a basic enterprise network setting to test the capability of using WMI abusively. The performance analysis of the protection software will be tested using the penetration testing tool itself. The design methodology of both software focuses heavily on code reuse and enforces strict decoupling. This methodology creates a strong base for the software which allows developers to extend the functionalities of the tool with ease. Rather than exploiting WMI, the penetration tool focuses on using WMI as a post-exploitation tool. The penetration testing tool comes with functions such as information gathering, lateral movement, covert data storage and fileless payload injection. The proposed method is built to a protection software and it is able to detect, prevent and mitigate WMI based attacks. Few major features of the protection software are that they are able to log down the event, alert the system administrator and mitigate the attack. However, there still exist areas for continued development on the proof of concept and the proposed method.