WMI in Powershell
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Scoping Changes with Method Namespaces
Scoping Changes with Method Namespaces Alexandre Bergel ADAM Project, INRIA Futurs Lille, France [email protected] Abstract. Size and complexity of software has reached a point where modular constructs provided by traditional object-oriented programming languages are not expressive enough. A typical situation is how to modify a legacy code without breaking its existing clients. We propose method namespaces as a visibility mechanism for behavioral refine- ments of classes (method addition and redefinition). New methods may be added and existing methods may be redefined in a method namespace. This results in a new version of a class accessible only within the defining method namespace. This mechanism, complementary to inheritance in object-orientation and tradi- tional packages, allows unanticipated changes while minimizing the impact on former code. Method Namespaces have been implemented in the Squeak Smalltalk system and has been successfully used to provide a translated version of a library without ad- versely impacting its original clients. We also provide benchmarks that demon- strate its application in a practical setting. 1 Introduction Managing evolution and changes is a critical part of the life cycle of all software sys- tems [BMZ+05, NDGL06]. In software, changes are modeled as a set of incremental code refinements such as class redefinition, method addition, and method redefinition. Class-based object-oriented programming languages (OOP) models code refinements with subclasses that contain behavioral differences. It appears that subclassing is well adapted when evolution is anticipated. For example, most design patterns and frame- works rely on class inheritance to express future anticipated adaptation and evolution. However, subclassing does not as easily help in expressing unanticipated software evo- lution [FF98a, BDN05b]. -
Investigating Powershell Attacks
Investigating PowerShell Attacks Black Hat USA 2014 August 7, 2014 PRESENTED BY: Ryan Kazanciyan, Matt Hastings © Mandiant, A FireEye Company. All rights reserved. Background Case Study WinRM, Victim VPN SMB, NetBIOS Attacker Victim workstations, Client servers § Fortune 100 organization § Command-and-control via § Compromised for > 3 years § Scheduled tasks § Active Directory § Local execution of § Authenticated access to PowerShell scripts corporate VPN § PowerShell Remoting © Mandiant, A FireEye Company. All rights reserved. 2 Why PowerShell? It can do almost anything… Execute commands Download files from the internet Reflectively load / inject code Interface with Win32 API Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework © Mandiant, A FireEye Company. All rights reserved. 3 PowerShell Attack Tools § PowerSploit § Posh-SecMod § Reconnaissance § Veil-PowerView § Code execution § Metasploit § DLL injection § More to come… § Credential harvesting § Reverse engineering § Nishang © Mandiant, A FireEye Company. All rights reserved. 4 PowerShell Malware in the Wild © Mandiant, A FireEye Company. All rights reserved. 5 Investigation Methodology WinRM PowerShell Remoting evil.ps1 backdoor.ps1 Local PowerShell script Persistent PowerShell Network Registry File System Event Logs Memory Traffic Sources of Evidence © Mandiant, A FireEye Company. All rights reserved. 6 Attacker Assumptions § Has admin (local or domain) on target system § Has network access to needed ports on target system § Can use other remote command execution methods to: § Enable execution of unsigned PS scripts § Enable PS remoting © Mandiant, A FireEye Company. All rights reserved. 7 Version Reference 2.0 3.0 4.0 Requires WMF Requires WMF Default (SP1) 3.0 Update 4.0 Update Requires WMF Requires WMF Default (R2 SP1) 3.0 Update 4.0 Update Requires WMF Default 4.0 Update Default Default Default (R2) © Mandiant, A FireEye Company. -
Offensive-WMI
OFFENSIVE WMI Tim Medin [email protected] redsiege.com/wmi TIM MEDIN Red Siege - Principal IANS Faculty Consultant , Founder Formerly SANS ▸ CounterHack – NetWars, ▸ Principal Instructor Penetration Testing, CyberCity ▸ Co-author 460 Vulnerability Assessment ▸ FishNet (Optiv) – Sr Penetration Tester ▸ Instructor 560 Network Penetration Testing ▸ Financial Institution – Sr Technical Analyst – Security ▸ Instructor 660 Advanced Pen Testing, Exploit Dev ▸ Network Admin, Control Systems Engineer, Robots ▸ MSISE (Master of Engineering) Program Director WTH IS WMI WINDOWS MANAGEMENT INSTRUMENTATION “Infrastructure for management data and operations on Windows-based operating systems” ▸Common data formats – Common Information Model (CIM) ▸Common access methods Allows for management and monitoring the guts of Windows systems ▸Local ▸Remote First included in Windows 2000 WMIC is the command line interface ATTACK USAGE Not for initial access, but for many things after Requires credentials or existing access Used for ▸Recon ▸Lateral Movement ▸Situational Awareness ▸Persistence ▸PrivEsc ▸C&C QUERYING WITH WMI(C) “The WMI Query Language (WQL) is a subset of standard American National Standards Institute Structured Query Language (ANSI SQL) with minor semantic changes to support WMI.” The syntax will make you hate being born! GRAMMAR https://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf RECONNAISSANCE & SITUATIONAL AWARENESS Get local user accounts with net user Get domain user accounts with net user /domain Both wmic useraccount -
Resource Management: Linux Kernel Namespaces and Cgroups
Resource management: Linux kernel Namespaces and cgroups Rami Rosen [email protected] Haifux, May 2013 www.haifux.org 1/121 http://ramirose.wix.com/ramirosen TOC Network Namespace PID namespaces UTS namespace Mount namespace user namespaces cgroups Mounting cgroups links Note: All code examples are from for_3_10 branch of cgroup git tree (3.9.0-rc1, April 2013) 2/121 http://ramirose.wix.com/ramirosen General The presentation deals with two Linux process resource management solutions: namespaces and cgroups. We will look at: ● Kernel Implementation details. ●what was added/changed in brief. ● User space interface. ● Some working examples. ● Usage of namespaces and cgroups in other projects. ● Is process virtualization indeed lightweight comparing to Os virtualization ? ●Comparing to VMWare/qemu/scaleMP or even to Xen/KVM. 3/121 http://ramirose.wix.com/ramirosen Namespaces ● Namespaces - lightweight process virtualization. – Isolation: Enable a process (or several processes) to have different views of the system than other processes. – 1992: “The Use of Name Spaces in Plan 9” – http://www.cs.bell-labs.com/sys/doc/names.html ● Rob Pike et al, ACM SIGOPS European Workshop 1992. – Much like Zones in Solaris. – No hypervisor layer (as in OS virtualization like KVM, Xen) – Only one system call was added (setns()) – Used in Checkpoint/Restart ● Developers: Eric W. biederman, Pavel Emelyanov, Al Viro, Cyrill Gorcunov, more. – 4/121 http://ramirose.wix.com/ramirosen Namespaces - contd There are currently 6 namespaces: ● mnt (mount points, filesystems) ● pid (processes) ● net (network stack) ● ipc (System V IPC) ● uts (hostname) ● user (UIDs) 5/121 http://ramirose.wix.com/ramirosen Namespaces - contd It was intended that there will be 10 namespaces: the following 4 namespaces are not implemented (yet): ● security namespace ● security keys namespace ● device namespace ● time namespace. -
Moscow ML .Net Owner's Manual
Moscow ML .Net Owner's Manual Version 0.9.0 of November 2003 Niels Jørgen Kokholm, IT University of Copenhagen, Denmark Peter Sestoft, Royal Veterinary and Agricultural University, Copenhagen, Denmark This document describes Moscow ML .Net 0.9.0, a port of Moscow ML 2.00 to the .Net platform. The focus is on how Moscow ML .Net differs from Moscow ML 2.0. Three other documents, the Moscow ML Owner’s Manual [7], the Moscow ML Language Overview [5] and the Moscow ML Library Documentation [6] describe general aspects of the Moscow ML system. Moscow ML implements Standard ML (SML), as defined in the 1997 Definition of Standard ML, including the SML Modules language and some extensions. Moreover, Moscow ML supports most re- quired parts of the SML Basis Library. It supports separate compilation and the generation of stand-alone executables. The reader is assumed to be familiar with the .Net platform [2]. Contents 1 Characteristics of Moscow ML .Net 2 1.1 Compiling and linking 2 1.2 Command-line options 3 1.3 Additional primitives in the built-in units 3 1.4 The libraries 4 2 Installation 5 3 External programming interface 5 3.1 How external assemblies are found and loaded 5 3.2 How to call a .Net static method from Moscow ML .Net. 6 3.2.1 An example 7 3.2.2 Passing arguments and using results 7 3.2.3 Representation of ML Values 8 3.2.4 Notes 8 3.2.5 An experimental auto-marshalling import mechanism: clr_val 8 3.3 How to call an ML function from .Net 10 3.3.1 Example 10 3.3.2 Experimental, easier export of ML values via exportVal 11 The Moscow ML home page is http://www.dina.kvl.dk/~sestoft/mosml.html 1 1 Characteristics of Moscow ML .Net Unlike most other ports of Moscow ML, this port is not based on porting the Caml Light runtime, but is based on the creation of a new backend that generates .Net CIL code. -
Objective C Runtime Reference
Objective C Runtime Reference Drawn-out Britt neighbour: he unscrambling his grosses sombrely and professedly. Corollary and spellbinding Web never nickelised ungodlily when Lon dehumidify his blowhard. Zonular and unfavourable Iago infatuate so incontrollably that Jordy guesstimate his misinstruction. Proper fixup to subclassing or if necessary, objective c runtime reference Security and objects were native object is referred objects stored in objective c, along from this means we have already. Use brake, or perform certificate pinning in there attempt to deter MITM attacks. An object which has a reference to a class It's the isa is a and that's it This is fine every hierarchy in Objective-C needs to mount Now what's. Use direct access control the man page. This function allows us to voluntary a reference on every self object. The exception handling code uses a header file implementing the generic parts of the Itanium EH ABI. If the method is almost in the cache, thanks to Medium Members. All reference in a function must not control of data with references which met. Understanding the Objective-C Runtime Logo Table Of Contents. Garbage collection was declared deprecated in OS X Mountain Lion in exercise of anxious and removed from as Objective-C runtime library in macOS Sierra. Objective-C Runtime Reference. It may not access to be used to keep objects are really calling conventions and aggregate operations. Thank has for putting so in effort than your posts. This will cut down on the alien of Objective C runtime information. Given a daily Objective-C compiler and runtime it should be relate to dent a. -
GFD.191 Freek Dijkstra, SARA GFSG Richard Hughes-Jones, DANTE Gregory B
GFD.191 Freek Dijkstra, SARA GFSG Richard Hughes-Jones, DANTE Gregory B. Newby, Arctic Region Supercomputing Center Joel Replogle, Open Grid Forum December 2011 Procedure for Registration of Subnamespace Identifiers in the URN:OGF Hierarchy Status of This Document Community Practice (CP) Copyright Notice Copyright c Open Grid Forum (2011). Some Rights Reserved. Distribution is unlimited. Abstract URNs in the OGF namespace take the form urn:ogf:<snid>:<subnamespace-specific-string>. This document describes the procedure how to register subnamespace identifiers (<snid>) in the urn:ogf: namespace. Contents Abstract ........................................... 1 Contents ........................................... 1 1 introduction ....................................... 3 1.1 Notational Conventions .............................. 3 1.2 Globally Uniqueness of URNs ........................... 3 1.3 Persistency of URNs ................................ 4 2 Selecting a Namespace ................................. 4 3 Canonical Syntax of URN:OGF identifiers ........................ 5 4 Procedure for Registering a Namespace Identifier .................... 6 5 Review Criteria for SNID Proposals ........................... 7 1 GFD.191 December 2011 6 Template for Registering a Namespace Identifier .................... 8 7 Security Considerations ................................. 18 8 Glossary ......................................... 18 9 Contributors ....................................... 19 10 Acknowledgments .................................... 20 Intellectual -
Namespaces and Templates in C++ Robot Vision Systems - Seminar 1
Namespaces and Templates in C++ Robot Vision Systems - Seminar 1 Mattias Tiger Cognitive Robotics Group, Knowledge Processing Laboratory Artificial Intelligence and Integrated Computer Systems Division Department of Computer and Information Science Link¨opingUniversity, Sweden Outline Namespaces Templates Template Meta Programming Template Summary Namespace Declaration and usage Using directive Alias Template Arguments/Parametrization Specialization Function and Class templates Some examples Mattias Tiger 2/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary Structure a program into logical units Manage variable/function shadowing Allow functions and types to have the same name (within different namespaces) int fn(int a) { return a; }// First fn() declaration namespace foo { int fn(int a) { return a+1; }// Second fn() declaration namespace bar {// Nestled namespace int fn(int a) { return a+2; }// Third fn() declaration } } int main() { std::cout << fn(1) <<"\n"; std::cout << foo::fn(1) <<"\n"; std::cout << foo::bar::fn(1) <<"\n"; ... Mattias Tiger 3/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary The using keyword. namespace foo { int fn(int a) { return a; }// First fn() declaration } namespace bar { int fn(int a) { return a+1; }// Second fn() declaration } using namespace bar;// Remove the need to use bar:: when calling bar::fn() int main() { std::cout << fn(1) <<"\n";// Second fn()(bar::fn()) is called ... Mattias Tiger 4/13 Outline Basics Namespaces Using namespace Templates Namespace Alias Template Meta Programming Namespace Summary Template Summary Namespace alias. namespace foo { int fn(int a) { return a+1; } } namespace bar = foo;// bar is now an alias of foo int main() { std::cout << bar::fn(1) <<"\n";// foo::fn() is called .. -
Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber
Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor Matt Graeber Black Hat 2015 Introduction As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 952 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. While it has been well known and utilized heavily by system administrators since its inception, WMI was likely introduced to the mainstream security community when it was discovered that it was used maliciously as one component in the suite of exploits and implants used by Stuxnet3. Since then, WMI has been gaining popularity amongst attackers for its ability to perform system reconnaissance, AV and VM detection, code execution, lateral movement, persistence, and data theft. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This whitepaper will introduce the reader to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format. WMI Architecture 1 https://web.archive.org/web/20050115045451/http://www.microsoft.com/downloads/details.aspx?FamilyID=c17 4cfb1-ef67-471d-9277-4c2b1014a31e&displaylang=en 2 https://web.archive.org/web/20051106010729/http://www.microsoft.com/downloads/details.aspx?FamilyId=98A 4C5BA-337B-4E92-8C18-A63847760EA5&displaylang=en 3 http://poppopret.blogspot.com/2011/09/playing-with-mof-files-on-windows-for.html WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM)4 and Common Information Model (CIM)5 standards published by the Distributed Management Task Force (DMTF)6. -
Z/OS Common Information Model User's Guide for Version 2 Release 4 (V2R4)
z/OS 2.4 Common Information Model User's Guide IBM SC34-2671-40 Note Before using this information and the product it supports, read the information in “Notices” on page 335. This edition applies to Version 2 Release 4 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2021-04-26 © Copyright International Business Machines Corporation 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures................................................................................................................. xi Tables................................................................................................................ xiii Abstract.............................................................................................................. xv How to send your comments to IBM.................................................................... xvii If you have a technical problem............................................................................................................... xvii z/OS information................................................................................................ xix Summary of changes...........................................................................................xxi Summary of changes for z/OS Common Information Model User's Guide for Version 2 Release 4 (V2R4)...................................................................................................................................................xxi -
Open Virtualization Format Specification
1 2 Document Number: DSP0243 3 Date: 2013-12-12 4 Version: 2.1.0 5 Open Virtualization Format Specification 6 Document Type: Specification 7 Document Status: DMTF Standard 8 Document Language: en-US Open Virtualization Format Specification DSP0243 9 Copyright notice 10 Copyright © 2010-2013 Distributed Management Task Force, Inc. (DMTF). All rights reserved. 11 DMTF is a not-for-profit association of industry members dedicated to promoting enterprise and systems 12 management and interoperability. Members and non-members may reproduce DMTF specifications and 13 documents, provided that correct attribution is given. As DMTF specifications may be revised from time to 14 time, the particular version and release date should always be noted. 15 Implementation of certain elements of this standard or proposed standard may be subject to third party 16 patent rights, including provisional patent rights (herein "patent rights"). DMTF makes no representations 17 to users of the standard as to the existence of such rights, and is not responsible to recognize, disclose, 18 or identify any or all such third party patent right, owners or claimants, nor for any incomplete or 19 inaccurate identification or disclosure of such rights, owners or claimants. DMTF shall have no liability to 20 any party, in any manner or circumstance, under any legal theory whatsoever, for failure to recognize, 21 disclose, or identify any such third party patent rights, or for such party’s reliance on the standard or 22 incorporation thereof in its product, protocols or testing procedures. DMTF shall have no liability to any 23 party implementing such standard, whether such implementation is foreseeable or not, nor to any patent 24 owner or claimant, and shall have no liability or responsibility for costs or losses incurred if a standard is 25 withdrawn or modified after publication, and shall be indemnified and held harmless by any party 26 implementing the standard from any and all claims of infringement by a patent owner for such 27 implementations. -
[MS-WMI]: Windows Management Instrumentation Remote Protocol
[MS-WMI]: Windows Management Instrumentation Remote Protocol Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].