Windows management instrumentation (WMI) security
Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they use legitimate system software and one of it is called the Windows Management Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert. There is no doubt that WMI based at...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
2018
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/10356/74189 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-74189 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-741892023-03-03T20:33:41Z Windows management instrumentation (WMI) security Chew, Zhi Jie Lam Kwok Yan School of Computer Science and Engineering Certis CISCO Security Pte Ltd DRNTU::Engineering DRNTU::Engineering::Computer science and engineering::Software::Software engineering Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they use legitimate system software and one of it is called the Windows Management Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert. There is no doubt that WMI based attack or even fileless attack will become more popular. Hence, there is a need to create a more sophisticated software to protect against WMI based attack. The purpose of the study is to create a WMI-based penetration testing tool and a protection software to protect against WMI attacks. The study focuses on how WMI can be abused and how to protect against WMI based attacks. The created penetration testing tool is tested on a basic enterprise network setting to test the capability of using WMI abusively. The performance analysis of the protection software will be tested using the penetration testing tool itself. The design methodology of both software focuses heavily on code reuse and enforces strict decoupling. This methodology creates a strong base for the software which allows developers to extend the functionalities of the tool with ease. Rather than exploiting WMI, the penetration tool focuses on using WMI as a post-exploitation tool. The penetration testing tool comes with functions such as information gathering, lateral movement, covert data storage and fileless payload injection. The proposed method is built to a protection software and it is able to detect, prevent and mitigate WMI based attacks. Few major features of the protection software are that they are able to log down the event, alert the system administrator and mitigate the attack. However, there still exist areas for continued development on the proof of concept and the proposed method. Bachelor of Engineering (Computer Engineering) 2018-05-07T01:10:54Z 2018-05-07T01:10:54Z 2018 Final Year Project (FYP) http://hdl.handle.net/10356/74189 en Nanyang Technological University 90 p. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
DRNTU::Engineering DRNTU::Engineering::Computer science and engineering::Software::Software engineering |
| spellingShingle |
DRNTU::Engineering DRNTU::Engineering::Computer science and engineering::Software::Software engineering Chew, Zhi Jie Windows management instrumentation (WMI) security |
| description |
Fileless attacks have been on a rise. A common similarity of all fileless attacks is that they
use legitimate system software and one of it is called the Windows Management
Instrumentation, also known as WMI. WMI based attacks are hard to track and well covert.
There is no doubt that WMI based attack or even fileless attack will become more popular.
Hence, there is a need to create a more sophisticated software to protect against WMI
based attack.
The purpose of the study is to create a WMI-based penetration testing tool and a protection
software to protect against WMI attacks. The study focuses on how WMI can be abused
and how to protect against WMI based attacks. The created penetration testing tool is
tested on a basic enterprise network setting to test the capability of using WMI abusively.
The performance analysis of the protection software will be tested using the penetration testing tool itself.
The design methodology of both software focuses heavily on code reuse and enforces strict decoupling. This methodology creates a strong base for the software which allows developers to extend the functionalities of the tool with ease. Rather than exploiting WMI, the penetration tool focuses on using WMI as a post-exploitation tool. The penetration
testing tool comes with functions such as information gathering, lateral movement, covert data storage and fileless payload injection.
The proposed method is built to a protection software and it is able to detect, prevent and mitigate WMI based attacks. Few major features of the protection software are that they are
able to log down the event, alert the system administrator and mitigate the attack. However,
there still exist areas for continued development on the proof of concept and the proposed
method. |
| author2 |
Lam Kwok Yan |
| author_facet |
Lam Kwok Yan Chew, Zhi Jie |
| format |
Final Year Project |
| author |
Chew, Zhi Jie |
| author_sort |
Chew, Zhi Jie |
| title |
Windows management instrumentation (WMI) security |
| title_short |
Windows management instrumentation (WMI) security |
| title_full |
Windows management instrumentation (WMI) security |
| title_fullStr |
Windows management instrumentation (WMI) security |
| title_full_unstemmed |
Windows management instrumentation (WMI) security |
| title_sort |
windows management instrumentation (wmi) security |
| publishDate |
2018 |
| url |
http://hdl.handle.net/10356/74189 |
| _version_ |
1759857154890661888 |