Aug 30, 2016– ICS-CERT has informed that a new Whitepaper has been released by the National Cybersecurity & Communications Integration Center that details how Windows Management Instrumentation can be used by attackers to perform system reconnaissance,antivirus and virtual machine (VM) detection, code execution, lateral movement, persistence, and data theft. This whitepaper will show how to prevent such incidents. WMI is composed of a powerful set of tools used to manage Windows systems both locally and remotely. While it has been well known and used heavily by system administrators since its inception, WMI has been gaining popularity amongst attackers as well. The paper presents an introduction to WMI, actual and proof-of-concept attacks using WMI, how WMI can be used as a rudimentary intrusion detection system (IDS), how to defend against adversarial use of WMI, and present how to perform forensics on the WMI repository file format.
The Whitepaper can be accessed here
While this technique applies to all systems that run Windows, it is especially important to note for Industrial Control Systems owners and Control System engineers, Automation engineers and IT professionals who work with these systems (many of these are based on Windows and not subject to regular patches and upgrades due to various reasons).