Register to stream ATT&CKcon 2.0 October 29-30

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4]

ID: T1047
Tactic: Execution
Platform: Windows
System Requirements: WMI service, winmgmt, running; Host/network firewalls allowing SMB and WMI ports from source to destination; SMB authentication.
Permissions Required: User, Administrator
Data Sources: Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters
Supports Remote:  Yes
Version: 1.0

Mitigations

Mitigation Description
Privileged Account Management Prevent credential overlap across systems of administrator and privileged accounts. [4]
User Account Management By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

Examples

Name Description
APT29 APT29 used WMI to steal credentials and execute backdoors at a future time. [54]
APT32 APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process. [61]
Astaroth Astaroth uses WMIC to execute payloads. [35]
BlackEnergy A BlackEnergy 2 plug-in uses WMI to gather victim host details. [15]
Cobalt Strike Cobalt Strike can use WMI to deliver a payload to a remote host. [5]
Deep Panda The Deep Panda group is known to utilize WMI for lateral movement. [49]
DustySky The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active. [25]
Emotet Emotet has used WMI to execute powershell.exe. [45]
Empire Empire can use WMI to deliver a payload to a remote host. [10]
EvilBunny EvilBunny has used WMI to gather information about the system. [46]
FELIXROOT FELIXROOT uses WMI to query the Windows Registry. [14]
FIN8 FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities. [56] [57]
FlawedAmmyy FlawedAmmyy leverages WMI to enumerate anti-virus on the victim. [43]
GravityRAT GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed). [20]
HALFBAKED HALFBAKED can use WMI queries to gather system information. [28]
HOPLIGHT HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. [40]
Impacket Impacket's wmiexec module can be used to execute commands through WMI. [9]
jRAT jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details. [27]
Kazuar Kazuar obtains a list of running processes through WMI querying. [41]
Koadic Koadic can use WMI to execute commands. [6]
KOMPROGO KOMPROGO is capable of running WMI queries. [13]
Lazarus Group Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement. [59] [60]
Leviathan Leviathan has used WMI for execution. [53]
menuPass menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI. [47] [48]
Micropsia Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI. [37] [38]
Mosquito Mosquito's installer uses WMI to search for antivirus display names. [12]
MuddyWater MuddyWater has used malware that leveraged WMI for execution and querying host information. [51] [17] [52]
NotPetya NotPetya can use wmic to help propagate itself across a network. [33] [34]
Octopus Octopus uses wmic.exe for local discovery information. [26]
OilRig OilRig has used WMI for execution. [50]
Olympic Destroyer Olympic Destroyer uses WMI to help propagate itself across a network. [29]
OopsIE OopsIE uses WMI to perform discovery techniques. [24]
PoshC2 PoshC2 has a number of modules that use WMI to execute tasks. [11]
PowerSploit PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload. [7] [8]
POWERSTATS POWERSTATS can use WMI queries to retrieve data from compromised hosts. [16] [17]
POWRUNER POWRUNER may use WMI when collecting information about a victim. [23]
RATANKBA RATANKBA uses WMI to perform process monitoring. [21] [22]
Remexi Remexi executes received commands with wmic.exe (for WMI commands). [36]
RogueRobin RogueRobin uses various WMI queries to check if the sample is running in a sandbox. [18] [19]
Soft Cell Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets. [62]
Stealth Falcon Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI). [58]
StoneDrill StoneDrill has used the WMI command-line (WMIC) utility to run tasks. [42]
Threat Group-3390 A Threat Group-3390 tool can use WMI to execute a binary. [55]
Ursnif Ursnif droppers have used WMI classes to execute PowerShell commands. [44]
WannaCry WannaCry utilizes wmic to delete shadow copies. [30] [31] [32]
Zebrocy One variant of Zebrocy uses WMI queries to gather information. [39]

Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. [4]

References

  1. Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
  2. Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  6. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  7. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  8. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  9. SecureAuth. (n.d.). Retrieved January 15, 2019.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  12. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  13. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  14. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  15. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  17. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  18. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  19. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  20. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  21. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  22. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  23. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  24. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  25. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  26. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  27. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  28. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  29. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  30. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  31. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  1. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  2. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  3. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  4. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  5. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  6. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  7. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  8. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  9. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  10. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  11. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  12. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  13. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  14. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  15. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  16. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  17. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  18. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  19. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  20. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  21. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  22. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  23. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  24. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  25. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  26. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  27. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  28. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  29. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  30. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  31. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.