Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4]

ID: T1047

Tactic: Execution

Platform:  Windows

Permissions Required:  User, Administrator

Data Sources:  Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters

Supports Remote:  Yes

Version: 1.0

Examples

NameDescription
APT29

APT29 used WMI to steal credentials and execute backdoors at a future time.[5]

BlackEnergy

A BlackEnergy 2 plug-in uses WMI to gather victim host details.[6]

Cobalt Strike

Cobalt Strike can use WMI to deliver a payload to a remote host.[7]

Deep Panda

The Deep Panda group is known to utilize WMI for lateral movement.[8]

DustySky

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[9]

FIN8

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[10][11]

GravityRAT

GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[12]

HALFBAKED

HALFBAKED can use WMI queries to gather system information.[13]

jRAT

jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[14]

Koadic

Koadic can use WMI to execute commands.[15]

KOMPROGO

KOMPROGO is capable of running WMI queries.[16]

Lazarus Group

Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[17][18]

Leviathan

Leviathan has used WMI for execution.[19]

menuPass

menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[20][21]

Mosquito

Mosquito's installer uses WMI to search for antivirus display names.[22]

OilRig

OilRig has used WMI for execution.[23]

OopsIE

OopsIE uses WMI to perform discovery techniques.[24]

PowerSploit

PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.[25][26]

POWERSTATS

POWERSTATS can use WMI queries to retrieve data from compromised hosts.[27]

POWRUNER

POWRUNER may use WMI when collecting information about a victim.[28]

RATANKBA

RATANKBA uses WMI to perform process monitoring.[29][30]

RogueRobin

RogueRobin uses various WMI queries to check if the sample is running in a sandbox.[31]

Stealth Falcon

Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).[32]

Threat Group-3390

A Threat Group-3390 tool can use WMI to execute a binary.[33]

Mitigation

Disabling WMI or RPCS may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. [4]

Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. [4]

References

  1. Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
  2. Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  5. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  6. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  7. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  8. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  9. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  10. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  11. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  12. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  13. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  14. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  15. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  16. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  17. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  2. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  3. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  4. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  5. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  6. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  7. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  8. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  9. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  10. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  11. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  12. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  13. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  14. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  15. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  16. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.