Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4] [5]
Procedure Examples
Name | Description |
---|---|
APT29 |
APT29 used WMI to steal credentials and execute backdoors at a future time.[6] |
APT32 |
APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.[7] |
APT41 |
APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[8] |
Astaroth | |
BlackEnergy |
A BlackEnergy 2 plug-in uses WMI to gather victim host details.[10] |
Blue Mockingbird |
Blue Mockingbird has used wmic.exe to set environment variables.[11] |
Chimera | |
Cobalt Strike |
Cobalt Strike can use WMI to deliver a payload to a remote host.[13] |
CrackMapExec |
CrackMapExec can execute remote commands using Windows Management Instrumentation.[14] |
Deep Panda |
The Deep Panda group is known to utilize WMI for lateral movement.[15] |
DustySky |
The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[16] |
Emotet | |
Empire |
Empire can use WMI to deliver a payload to a remote host.[18] |
EvilBunny |
EvilBunny has used WMI to gather information about the system.[19] |
FELIXROOT | |
FIN6 |
FIN6 has used WMI to automate the remote execution of PowerShell scripts.[21] |
FIN8 |
FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[22][23] |
FlawedAmmyy |
FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[24] |
Frankenstein |
Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.[25] |
GravityRAT |
GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[26] |
HALFBAKED |
HALFBAKED can use WMI queries to gather system information.[27] |
HOPLIGHT |
HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.[28] |
IcedID | |
Impacket |
Impacket's wmiexec module can be used to execute commands through WMI.[30] |
jRAT |
jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[31] |
Kazuar |
Kazuar obtains a list of running processes through WMI querying.[32] |
Koadic | |
KOMPROGO | |
Lazarus Group |
Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[35][36] |
Leviathan | |
Maze |
Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[38][39] |
menuPass |
menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[40][41] |
Micropsia |
Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[42][43] |
Mosquito |
Mosquito's installer uses WMI to search for antivirus display names.[44] |
MuddyWater |
MuddyWater has used malware that leveraged WMI for execution and querying host information.[45][46][47] |
Netwalker | |
NotPetya |
NotPetya can use |
Octopus | |
OilRig | |
Olympic Destroyer |
Olympic Destroyer uses WMI to help propagate itself across a network.[53] |
OopsIE | |
PoshC2 |
PoshC2 has a number of modules that use WMI to execute tasks.[55] |
PowerSploit |
PowerSploit's |
POWERSTATS |
POWERSTATS can use WMI queries to retrieve data from compromised hosts.[58][46] |
POWRUNER |
POWRUNER may use WMI when collecting information about a victim.[59] |
RATANKBA | |
Remexi |
Remexi executes received commands with wmic.exe (for WMI commands). [62] |
REvil |
REvil can use WMI to monitor for and kill specific processes listed in its configuration file.[63][64] |
RogueRobin |
RogueRobin uses various WMI queries to check if the sample is running in a sandbox.[65][66] |
Soft Cell |
Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[67] |
Stealth Falcon |
Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).[68] |
StoneDrill |
StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[69] |
Sunburst |
Sunburst used the WMI query |
Threat Group-3390 |
A Threat Group-3390 tool can use WMI to execute a binary.[71] |
UNC2452 |
UNC2452 used WMI for the remote execution of files for lateral movement.[72][73] |
Ursnif |
Ursnif droppers have used WMI classes to execute PowerShell commands.[74] |
Valak |
Valak can use |
WannaCry | |
Wizard Spider |
Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.[79][80][81][82] |
Zebrocy |
One variant of Zebrocy uses WMI queries to gather information.[83] |
Mitigations
Mitigation | Description |
---|---|
Privileged Account Management |
Prevent credential overlap across systems of administrator and privileged accounts. [5] |
User Account Management |
By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. |
Detection
Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. [5]
References
- Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
- Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
- Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
- Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
- Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- SecureAuth. (n.d.). Retrieved January 15, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
- Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
- Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.