1

I am trying to improve our exposure score on Microsoft Defender and noted that "Block persistence through WMI event subscription" has a remediation which Ive already applied since almost a month now.

Remediation:

  • Ensure that Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. (checked and applied given the 0 exposed devices, and 0 impact) defender on

  • Enable this ASR rule in Block mode using Group Policy (done) ASR enabled

However, despite the attack surface reduction rule blocking persistence through WMI event subscriptions as reported on MEM (endpoint manager/intune),

ASR results

it just doesnt seem to be really syncing with the remediation on Microsoft defender. The impact appears to have remained the same, and even my PC, despite the latest updates, appears to still reflect as an exposed device.

impact

Cataster
  • 121
  • 2
  • If you try to launch an app using a WMI event, is it blocked? – Greg Askew Aug 26 '22 at 09:24
  • @GregAskew Trying to find some examples I could launch but im not familiar with it too much, i tried returning cpu information in cmd, and I did get the cpu information results but i guess thats not really what i should be doing since thats not invoking anything right? – Cataster Aug 26 '22 at 13:26
  • Some examples here: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf – Greg Askew Aug 26 '22 at 16:32
  • @GregAskew woah! "Abusing Windows Management Instrumentation (WMI)" love the title haha – Cataster Aug 26 '22 at 17:21
  • @GregAskew so from that paper, would this be an example to try out? Persistence Covert Data Storage The following example demonstrates storing a string as a property value of a static WMI class: `$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null, $null) $StaticClass.Name = 'Win32_EvilClass' $StaticClass.Put() $StaticClass.Properties.Add('EvilProperty' , "This is not the malware you're looking for") $StaticClass.Put()` – Cataster Aug 26 '22 at 19:45
  • This example is a bit easier to follow. It creates a file on a USB thumb drive when it is inserted. https://web.archive.org/web/20210305203515/http://www.exploit-monday.com/2016/08/wmi-persistence-using-wmic.html – Greg Askew Aug 26 '22 at 19:59
  • @GregAskew I dont have a usb drive, but i dont think the org allows it either :( – Cataster Aug 26 '22 at 20:22
  • Those are just examples. An event can be anything, it doesn't have to be a drive removal. The point is, if you can create these events/consumers, and view them using WMIC, the GPO setting may not be applied. Which I don't believe you have confirmed by using gpresult. – Greg Askew Aug 26 '22 at 20:47

0 Answers0