MITRE ATT&CK Mondays is an ongoing series of articles on adversary tactics and techniques listed on the MITRE ATT&CK framework. We will focus on one technique per week, discuss what it is, what it looks like in the wild, possible future applications, and how to defend and protect your network.
What is WMI (T1047)?
WMI — Windows Management Instrumentation — has been around as a foundational Windows administration mechanism since Windows NT, so it isn’t exactly a new tool for hackers to abuse. Its main legitimate purpose is to allow programmatic management of Windows personal computers and servers, so an admin could write, say a Powershell script, to edit the registry or even manage the temperature of an endpoint, or do any other number of administrative actions.
Whether Microsoft has intended it or not, WMI has become the de facto management layer for any large windows deployment, which means that many organizations rely on it for day-to-day management, making it near impossible to disable. It can be used locally, such as with a command-line tool like wmic, or remotely through SMB or the remote procedure call service, making it a key tool for legit admins to manage large sites and for hackers using living off the land techniques to do their nefarious deeds with a lower the chance of detection.
Later we will cover WMI’s other classification in the MITRE ATT&CK framework: WMI Event Subscription, which is under the persistence tactic.
What does it look like in the wild?
Although it is classified in the MITRE ATT&CK framework as Enterprise Technique T1047 “Windows Management Instrumentation” under the execution tactic, it can be used in multiple stages of the attack such as persistence or discovery, which is apparent from its abuse in the wild: BlackEnergy 2 malware and the FLEXIROOT backdoor use it for discovery, while groups like Deep Panda (possibly APT19) and Soft Cell use it for lateral movement. It was even abused by WannaCry to delete shadow copies — that’s right, this common system management tool was used to destroy backups making the ransomware all the more potent.
What will happen in the future?
We should expect to see continued and growing use of WMI abuse due to the continued automation of hacker tools and groups (like its recent use in the latest Emotet), and because it just makes sense for hackers: it’s universal among modern Windows systems (ex: nearly every Windows machine with an open port 445 is running it), it’s automatable, and it can be difficult to detect.
What can defenders do?
- Secure your WMI namespaces
- Secure your WMI providers
- Secure your WMI scripting clients
- Check for overlap across systems between privileged and admin accounts
- Restrict users who are allowed to connect using WMI, or stop all remote WMI connections
- Check for WMI traffic where it wouldn’t make sense to see it (such as external inbound traffic to internal systems)
- Audit command line logs
- Log WmiEventFilter, WmiEventConsumer, and WmiEventConsumerToFilter in Sysmon
- Audit WMI logs and WMI repository
- Look out for MOF files in an investigation
- Audit Powershell logs as hackers may forgo using MOF files
- Memory analysis for processes like: Srccons.exe, or WmiPrvSE.exe, or even wsmprovhost.exe for possible Powershell remote abuse of WMI
How can CyCraft help?
Detecting malicious use of WMI is no easy task, which makes it frustrating because of its ubiquity. Luckily our CyCarrier AIR platform specializes in catching abnormal and malicious system behavior like WMI abuse: we analyze multiple levels of forensic data across your enterprise to connect the dots and make even the subtlest attacks visible and show their complete storylines, saving you the headache.
References & Further Reading: