This blog post from CrowdStrike provides some good information related to the persistence mechanisms used by WannaMine cryptomining worm. According to the post, WannaMine employs “living off the land” techniques such as Windows Management Instrumentation (WMI) permanent event subscriptions as a persistence mechanism. It is really interesting that crypto mining malware adapt so quickly their TTPs and use techniques that are mostly used by APT groups.
According to Matthew Dunwoody:
WMI persistence is so rarely legitimately used that once you get visibility into it, the evil is obvious. You can identify new persistence in the wmi/operational logs on newer windows or in sysmon.
— Matthew Dunwoody (@matthewdunwoody) January 25, 2018
The challenge here is that most organisations are not ready for this due to their current lack of visibility. They can get visibility via newer Windows, Sysmon (6.10 onwards), scripting (e.g. PowerShell Remoting) and some EDR products. It is also expected that this persistence technique will be widely adapted within 2018.
- Sysmon 6.10 Tracking of Permanent WMI Events
- Sysmon v6.10 vs WMI Persistence
- Homeland Security on WMI for Detection and Response
- Microsoft article on exposing fileless malware
- Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor
- CrowdStrike article for WannaMine
Happy WMI event consuming hunters ;)