Living Off the Land: Spotting Malicious PowerShell and WMI in the Noise

In a modern Cyber Defense Center (CDC), chasing generic malware signatures is Tier 1 work. To operate at a Tier 2 level, you must identify adversaries who blend into administrative noise using Living Off the Land Binaries (LOLBins) like PowerShell (T1059.001) and WMI (T1047).

When an attacker uses native tools, they aren't just bypassing signatures—they are hijacking the trust the OS has in its own management frameworks. Here is how to isolate that malicious execution from your administrative baseline.

1. PowerShell: Hunting the Script Block and AMSI Evasions

If your detections rely on standard process creation monitoring alone, you are fighting a losing battle. Attackers use unmanaged runspaces, Base64 encoding, and backtick obfuscation to hide their intent.

The PowerShell Logging Triad

For deep visibility, your environment must ingest the following from the Microsoft-Windows-PowerShell/Operational log:

EID 4104 (Script Block Logging): Captures the de-obfuscated script code right before execution. Even if the command line was a 5,000-character Base64 string, EID 4104 logs the plain text.
EID 4103 (Module Logging): Records the execution of specific cmdlets and variable initializations.
EID 400 (Engine Lifecycle): Essential for identifying Downgrade Attacks (where an attacker forces PowerShell v2.0 to bypass AMSI and modern logging).

Catching the "Invisible" Bypasses

A. In-Memory AMSI Patching Advanced payloads often patch amsi.dll in memory. By overwriting the AmsiScanBuffer function (often with a simple ret instruction), they force the scanner to return AMSI_RESULT_CLEAN for every subsequent command.

The Hunt: Look in EID 4104 for C# reflection used to find memory addresses. Key strings to hunt: [Runtime.InteropServices.Marshal]::Copy, GetProcAddress, amsiInitFailed, or .GetField('amsiContext', 'NonPublic, Static').

B. Reflection-Based Obfuscation Attackers frequently use the [Ref].Assembly.GetType() method to call hidden functions.

The Hunt: Query for scripts using [Ref].Assembly in combination with character replacement or string reversal, often a sign of automated obfuscation tools like Invoke-Obfuscation.

2. WMI: The Silent Lateral Movement & Persistence Engine

Windows Management Instrumentation (WMI) is the "skeleton key" of the OS. Operations flow through wmiprvse.exe (WMI Provider Host), making them difficult to attribute to a specific user session.

Lateral Movement via `wmiprvse.exe` (T1047)

When an attacker uses wmic or Invoke-WmiMethod remotely, the execution happens under the WMI provider host on the target machine.

The Hunt: Monitor process lineage. In a healthy environment, wmiprvse.exe rarely spawns interactive shells. Flag any instance where wmiprvse.exe is the Parent Process for:
- cmd.exe or powershell.exe
- certutil.exe (frequently used to download payloads)
- rundll32.exe, regsvr32.exe, or msbuild.exe (Proxy execution)

WMI Event Subscription Persistence (T1546.003)

This is the holy grail of stealth persistence. It allows an attacker to execute code filelessly whenever a specific condition is met. You must look at the "WMI Trinity":

__EventFilter: The trigger (WQL query).
CommandLineEventConsumer: The action (The malicious payload).
__FilterToConsumerBinding: The link between the two.

Conclusion: Tuning for the Long Game

When you run these hunts, you will find noise—legacy admin scripts and clunky monitoring agents are common culprits. The "Tier 2" skill isn't just running the query; it's the tuning.

By baselining your environment's legitimate WMI and PowerShell usage, you force the attacker to operate in a shrinking "shadow" of the network. Don't wait for the red alert—go find the threat in the noise.

Until next time,

paro