Windows management instrumentation (WMI) security
Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they use legitimate system software and one of it is called the Windows Management Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert. There is no doubt that WMI based at...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Final Year Project |
Language: | English |
Published: |
2018
|
Subjects: | |
Online Access: | http://hdl.handle.net/10356/74189 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
Summary: | Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they
use legitimate system software and one of it is called the Windows Management
Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert.
There is no doubt that WMI based attack or even fileless attack will become more popular.
Hence, there is a need to create a more sophisticated software to protect against WMI
based attack.
The purpose of the study is to create a WMI-based penetration testing tool and a protection
software to protect against WMI attacks. The study focuses on how WMI can be abused
and how to protect against WMI based attacks. The created penetration testing tool is
tested on a basic enterprise network setting to test the capability of using WMI abusively.
The performance analysis of the protection software will be tested using the penetration testing tool itself.
The design methodology of both software focuses heavily on code reuse and enforces strict decoupling. This methodology creates a strong base for the software which allows developers to extend the functionalities of the tool with ease. Rather than exploiting WMI, the penetration tool focuses on using WMI as a post-exploitation tool. The penetration
testing tool comes with functions such as information gathering, lateral movement, covert data storage and fileless payload injection.
The proposed method is built to a protection software and it is able to detect, prevent and mitigate WMI based attacks. Few major features of the protection software are that they are
able to log down the event, alert the system administrator and mitigate the attack. However,
there still exist areas for continued development on the proof of concept and the proposed
method. |
---|