<-- Go Back
Are you detecting WMI abuse the right way?
"WMI gives you the freedom to hide, move around and take control against million dollar defense mechanisms"
What is WMI?
Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems.
WMI provides an abstracted, unified object-oriented model, which contains classes representing elements such as the system registry, processes, threads and hardware components.
WMI allows scripting languages like VBScript or Windows PowerShell to automate administrative tasks on Windows computers locally and remotely. It allows users, administrators and developers (as well as attackers) to enumerate, manipulate and interact with various managed components in the OS.
WMI consists of three major components:
- WMI service(handles all requests)
- WMI providers(objects that monitor events and data)
- The WMI Repository(centralized storage)
Should I break my head about it ?
An adversary can use WMI to interact with systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files. It has access to a lot of system data, so adversaries are able to perform various types of discovery and reconnaissance through WMI.
It's so popular that MITRE ATT&CK framework has a technique exclusively for WMI. [T1047] is an execution technique that adversaries use for lateral movement and persistence. In recent times, it has been observed that a lot of threat actors are using WMI in their attacks and campaigns.
- Agent Tesla - Agent Tesla has used wmi queries to gather information from the system
- APT29 - Steal credentials and execute backdoors
- Astaroth - Astaroth uses WMIC to execute payloads
- Bazar - Gather information about the installed antivirus engine
- Cobalt Strike - CS can use WMI to deliver a payload to a remote host
- Emotnet - Emotnet has used WMI to execute powershell.exe
WMI Abuse
- Discovering sysinfo
- Scheduling persistence
- Launching WMI from Office documents to invoke Poweshell
- WMI Lateral Movement
- Credential Theft using WMI
- Deletion of shadow copies, likely to avoid using vssadmin
Let's take a look at some of the WMI(T1047) Use Cases using Atomic Tests
WMI Reconnaissance
Users
wmic useraccount get Name, Description /format:csv
Software
wmic qfe get Name, HotFixID /format:csv
Remote Services
wmic /node:"127.0.0.1" service where (caption like "%service%")
WMI Execution
Execute Local Process
wmic process call create notepad.exe
Execute Remote Process
wmic /user:DOMAIN\User /password:password /node:"10.10.10.10" process call create "powershell.exe ls"
Execution using obfuscated Win32_Process
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("Win32_ABC")
$NewClass.Put()
Invoke-WmiMethod -Path Win32_ABC -Name create -ArgumentList "powershell -exec bypass XYZ"
Note: Enable powershell scriptblock logging(EventID:4104) to log these events.
Detection Strategies
We'll use Sysmon(A Windows system service and device driver that monitor and log system activity to the Windows event log) and Windows event log(A detailed record of system, security and application notifications) to power our detection rules. WMI can be a potential fileless method of persistence in Windows. WMI persistence relies on three components: Filter, (e.g. when this condition happens), Consumer (e.g. do this), and Binding (links Filter to Consumer). Sysmon EventID 19, 20, and 21 only pertains to WMI permanent event subscriptions or WMI persistence.
-
Event ID 1: Process Creation
The process creation event provides extended information about a newly created process.
-
Event ID 10: Process Access
The process accessed event reports when a process opens another process, an operation thatโs often followed by information queries or reading and writing the address space of the target process.
-
Event ID 19: WmiEvent (WmiEventFilter activity detected)
When a WMI event filter is registered, which is a method used by malware to execute, this event logs the WMI namespace, filter name and filter expression.
-
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
This event logs the registration of WMI consumers, recording the consumer name, log, and destination.
-
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
When a consumer binds to a filter, this event logs the consumer name and filter path.
-
Windows EventID 5861 logs generate a permanent record of WMI event subscriptions.
Detection Query:
Below are some general templates for writing detection queries. Depending on the SIEM/Monitoring tool the parsing and fields needs to be modified. Things to keep in mind while creating detection queries:
-
Use regex instead of wildcards
-
Don't nest too much and mind the Aggregations
-
Filter out legit events by using valid Suppressions
Credential Theft using WMI
event_id:1 AND event_data.CommandLine:(*wmic* AND (*samlib.dll* OR *vaultcli.dll* OR *lsass.exe* ))
WMI Lateral Movement
event_id:1 AND event_data.CommandLine:(wmic* AND process* AND create*)
WMI execution
event_id:1 AND (event_data.Image:(*\WmiPrvSE.exe) OR event_data.ParentImage:(*\WmiPrvSE.exe))
References: