Processes created via WMI are not hooked?

[acalarch]

I am using Cuckoo R2. I ran a office dropper that used WMI to create a process via WMI (
https://msdn.microsoft.com/en-us/library/aa389388(v=vs.85).aspx) . The sample didn't have any behavioral details in the report for the process (powershell) created via WMI. So, this could be a way to bypass certain parts of cuckoo's monitoring.

SAMPLE MD5: 9572b94b6a635a7b8347caf73fe1afd1

[jbremer]

Ah yes, I believe I see the issue. Just to confirm, what version of Office do you have in your VM?

[acalarch]

2013

[acalarch]

Normally I get parent-child no problem

[jbremer]

Hm, that changes things actually, because I think on my local setup (office 2007) it doesn't work for a different reason. I'll have to investigate a bit further :-)
For what it's worth, this technique should normally work just fine (following WMI processes), so I'll be interested to see what's going wrong here.

[acalarch]

Ah yep, I guess I should've checked general creation VIA WMI. It is showing for VBS scripts.

[jbremer]

Well, regardless of whether it works with VBS, it clearly doesn't work in this scenario :-) Anyway, to be continued.

[ne1llee]

@jbremer
wmi.c：The call to init_co_create_instance() in the _locate_wbem_services function fails and does not clear the is_hooked.