1. Digital Library of University of Colombo School of Computing
  2. Thesis & Dissertations
  3. Postgraduate Thesis Collection
  4. Master’s Degree Programmes
  5. Master of Information Security (MIS)
  6. Archival Collections of Thesis - Masters of Infomation Security
  7. Master of Science in Information Security - 2017
Please use this identifier to cite or link to this item: https://dl.ucsc.cmb.ac.lk/jspui/handle/123456789/3905
Title: Investigate Windows Management Instrumentation (WMI)Attacks in Windows Operating Systems
Authors: Maduranga, K. A. M.
Issue Date: 2017
Abstract: Windows operating system has one powerful technology that has remained consistent since Windows 95 that is Windows Management Instrumentation (WMI) and this existing on all Windows operating systems since windows 95. WMI is contained very powerful set of tools used to manage Windows systems both locally and remotely. In information security world a major threat is that of intruders which may maliciously try to access the data or services on the remote system using the inbuilt tools in operating systems. WMI has been well known and heavily utilized by system administrators since its launch and WMI has become very popular tool between attackers because its ability to perform system reconnaissance, code execution, lateral movement, anti-virus and virtual machine detection, persistence, and data theft. WMI use Distributed Component Object Model(DCOM) as its default protocol for communication over the network. DCOM establishes an initial connection over TCP port 135. Subsequent data is then exchanged over a randomly selected TCP port using Distributed Computing Environment/Remote Procedure Call (DCE/RPC) protocol. There are several mitigations that may prevent WMI attacks from occurring. These are close the port 135 or disable WMI in the hosts. But problem was then network administrators also cannot use this service for their tasks. Also port 135 not only used for the WMI communication. This port used by many other Microsoft services.so it’s impossible to close this port with the systems. Distributed Computing Environment/Remote Procedure Call (DCE/RPC) header include field called operation number. With this operation number value can identify that traffic contain WMI activity or not. Also command executed by remote user can find from the Stub data field inside the DCE/RPC header. An Intrusion Detection System is a method used for monitoring the network and protecting it from the intruder. A better solution is to use a device or software that can immediately detect and stop an attack. Intrusion Prevention System performs this function. This research has implemented WMI Intrusion Detection System and WMI Intrusion Protection System for protect networks from WMI based attacks. For that implementation used knowledge gaining from this research.
URI: http://hdl.handle.net/123456789/3905
Appears in Collections:Master of Science in Information Security - 2017

Files in This Item:
File Description SizeFormat 
2013mis016.pdf1.43 MBAdobe PDFView/Open
Show full item record


Items in UCSC Digital Library are protected by copyright, with all rights reserved, unless otherwise indicated.