The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Windows Management Instrumentation (WMI) is the infrastructure for managing data and operations on Windows-based operating systems. Adversaries abuse the extensive capabilities of WMI to execute malicious commands and payloads in compromised Windows hosts. The WMI service also gives adversaries local and remote access.
The versatility of WMI makes the Windows Management Instrumentation [T1047] the ninth most frequently used MITRE ATT&CK technique in the Red Report 2024.
|
The Red Report 2024
|
Adversary Use of Windows Management Instrumentation
The Windows Management Instrumentation (WMI) is an integral administrative feature natively available in Windows operating systems. Existing since the era of Windows NT, WMI and its command-line interface (WMIC) have been primary interaction tools until Windows 10 version 21H1. Given its longstanding availability, WMIC became a frequent tool in attack campaigns by adversaries. While PowerShell has now overtaken WMIC in newer Windows versions for WMI tasks, many hosts globally continue to operate on older Windows versions, making WMIC-based malicious payloads prevalent in cyber threats.
In the MITRE ATT&CK framework, the WMI technique does not specify any sub-techniques. Nonetheless, adversaries exploit WMI's extensive access to various operating system functions for command execution, defense evasion, discovery, and lateral movement. The ways in which adversaries employ WMI in their attack strategies are varied and multifaceted. Below are some illustrative examples of this usage.
1. System and Information Discovery
PowerShell's Get-WmiObject cmdlet can be used to obtain information about WMI classes from local or remote hosts. Adversaries use the Get-WmiObject cmdlet to gather information about compromised hosts or other hosts in a compromised network.
Get-WmiObject Win32_OperatingSystem |
For example, as disclosed by CISA in December 2023, the Russian Foreign Intelligence Service (SRV) used the following PowerShell command to retrieve information about the services running on a specified remote computer using WMI [1].
powershell Get-WmiObject -Class Win32_Service -Computername |
WMIC itself can be used for system information discovery, too. For instance, in May 2023, as disclosed by CISA's cybersecurity advisory (AA23-144A) on the China-based stated sponsored APT group Volt Typhoon [2], adversaries run the following wmic command to gather information about local drives.
This query lists all logical disks (such as hard drives, USB drives, etc.) along with their file system type (like NTFS or FAT32), available free space, total size, and volume name.
wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename |
By executing this command, adversaries can efficiently assess the storage resources and data organization of the system, which could aid in planning further malicious activities such as data theft, identifying locations for data exfiltration, or determining where to deploy payloads without arousing suspicion due to space constraints.
It is also essential to recognize the versatility with which adversaries can access information about WMI classes. They can employ various methods to retrieve the same data, underscoring the need for organizations to consider these different approaches when setting up their security monitoring and detection controls.
For example, the three methods below, though different in approach, yield the same information about WMI classes:
wmic OS get SystemDirectory,Organization,BuildNumber,RegisteredUser,SerialNumber,Version |
2. Credential Harvesting and Privilege Escalation
Volume Shadow Copies in Windows are designed to provide backups of both system and user files, facilitating data restoration. Adversaries, however, exploit this feature by using WMI to create and access these copies, particularly targeting sensitive files like NTDS.dit, SYSTEM, and SECURITY. These files are crucial as they contain critical information related to user credentials and system security.
A notable instance of such exploitation was detailed in May 2023, in a CISA cybersecurity advisory concerning the Volt Typhoon APT group [38]. The adversaries executed WMIC commands to initiate processes with ntdsutil.exe, a tool intended for managing Active Directory databases. These commands were engineered to create a Volume Shadow Copy and extract copies of the ntds.dit database and the SYSTEM and SECURITY registry hives.
Notably, the syntax and file paths in these commands were adapted to suit different system environments, but all aimed to replicate these sensitive files.
Some example commands are as follows.
wmic process call create "ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\pro wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\tmp\" |
This method effectively circumvents the standard access restrictions imposed on files like ntds.dit, which is typically locked for security while Active Directory is using it. By securing these files, the attackers could access a wealth of sensitive data, including password hashes, thereby posing a significant threat to the security of the entire domain.
3. Establishing Persistence
The COR_PROFILER environment variable enables developers to specify an unmanaged or external profiler DLL that loads into every .NET process that initiates the Common Language Runtime (CLR). To simplify, when COR_ENABLE_PROFILING is set to 1, the DLL designated by COR_PROFILER is loaded each time a process initiates the CLR. Adversaries can exploit this feature to execute their malicious DLLs, establishing persistence on the infected host.
An example of this is the Blue Mockingbird cryptominer malware, which manipulates COR_PROFILER to direct to its payload DLL. As a result, whenever a process invokes the CLR, the infected host loads this DLL, thereby maintaining persistence [3]. Below is a breakdown of this attack flow.
Step 1: The attacker begins by removing any existing COR_PROFILER variable.
wmic ENVIRONMENT where "name='COR_PROFILER'" delete |
Step 2: The attacker then creates a COR_ENABLE_PROFILING variable and sets its value to 1.
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1" |
Step 3: With COR_ENABLE_PROFILING set to 1, the attacker proceeds to create a new COR_PROFILER variable.
wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>" |
Step 4: The final step for the attacker is to add registry keys associated with the malicious DLL.
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F |
This sequence of actions establishes the necessary environment and registry settings for the malicious DLL to be loaded, exploiting the COR_PROFILER feature in .NET environments.
4. Lateral Movement
WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host:
wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create cmd.exe /c "<command>" powershell -c Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c <command>" -ComputerName <remote_host's_name> |
For example, as disclosed by CISA's cybersecurity advisory, which was released in December 2023 [4], the Russian Foreign Intelligence Service (SVR) ran the following command on their victim's system.
wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create "rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost" |
References
[1] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
[2]“People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
[3]T. Lambert, “Blue Mockingbird activity mines Monero cryptocurrency,” Red Canary, May 07, 2020. https://redcanary.com/blog/blue-mockingbird-cryptominer/
[4] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a