WMI Persistence Goes Mainstream

This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.

According to Matthew Dunwoody:

The challenge here is that most organisations are not ready for this due to their current lack of visibility. They can get visibility via newer Windows, Sysmon (6.10 onwards), scripting (e.g. PowerShell Remoting) and some EDR products. It is also expected that this persistence technique will be  widely adapted within 2018.

  1. Sysmon 6.10 Tracking of Permanent WMI Events
  2. Sysmon v6.10 vs WMI Persistence
  3. Homeland Security on WMI for Detection and Response
  4. Microsoft article on exposing fileless malware
  5. Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor
  6. CrowdStrike article for WannaMine

Happy WMI event consuming hunters ;)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.