Windows Management Instrumentation

From enterprise
Jump to: navigation, search
Windows Management Instrumentation
Technique
ID T1047
Tactic Execution
Platform Windows
System Requirements

WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination.

SMB authentication.
Permissions Required User, Administrator
Data Sources Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Supports Remote Yes

Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB)1 and Remote Procedure Call Service (RPCS)2 for remote access. RPCS operates over port 135.3

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.4

Examples

  • APT29 used WMI to steal credentials and execute backdoors at a future time.5
  • APT34 has used WMI for execution.6
  • The Deep Panda group is known to utilize WMI for lateral movement.7
  • FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution.8 FIN8 has also used WMIC during Lateral Movement and post compromise cleanup activities.9
  • Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.10
  • Leviathan has used WMI for execution.11
  • Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).12
  • menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.1314
  • A BlackEnergy 2 plug-in uses WMI to gather victim host details.15
  • Cobalt Strike can use WMI to deliver a payload to a remote host.16
  • The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.17
  • HALFBAKED can use WMI queries to gather system information.18
  • KOMPROGO is capable of running WMI queries.19
  • POWERSTATS can use WMI queries to retrieve data from compromised hosts.20
  • POWRUNER may use WMI when collecting information about a victim.21
  • PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.2223

Mitigation

Disabling WMI or RPCS may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts.4

Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior.4

References

  1. ^  Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
  2. ^  Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  3. ^  Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. a b c  Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  5. ^  Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  6. ^  Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  7. ^  Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  8. ^  Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  9. ^  Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  10. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  11. ^  Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  12. ^  Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.