T1047.md

T1047 - Windows Management Instrumentation

Description from ATT&CK

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

Atomic Tests

• Atomic Test #1 - WMI Reconnaissance Users

• Atomic Test #2 - WMI Reconnaissance Processes

• Atomic Test #3 - WMI Reconnaissance Software

• Atomic Test #4 - WMI Reconnaissance List Remote Services

• Atomic Test #5 - WMI Execute Local Process

• Atomic Test #6 - WMI Execute Remote Process

• Atomic Test #7 - Create a Process using WMI Query and an Encoded Command

Atomic Test #1 - WMI Reconnaissance Users

An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic useraccount get /ALL /format:csv

Atomic Test #2 - WMI Reconnaissance Processes

An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic process get caption,executablepath,commandline /format:csv

Atomic Test #3 - WMI Reconnaissance Software

An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

wmic qfe get description,installedOn /format:csv

Atomic Test #4 - WMI Reconnaissance List Remote Services

An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
node	Ip Address	String	127.0.0.1
service_search_string	Name Of Service	String	Spooler

Attack Commands: Run with command_prompt!

wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")

Atomic Test #5 - WMI Execute Local Process

This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
process_to_execute	Name or path of process to execute.	String	notepad.exe

Attack Commands: Run with command_prompt!

wmic process call create #{process_to_execute}

Cleanup Commands:

wmic process where name='#{process_to_execute}' delete >nul 2>&1

Atomic Test #6 - WMI Execute Remote Process

This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
node	Ip Address	String	127.0.0.1
user_name	Username	String	DOMAIN\Administrator
password	Password	String	P@ssw0rd1
process_to_execute	Name or path of process to execute.	String	notepad.exe

Attack Commands: Run with command_prompt!

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}

Cleanup Commands:

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1

Atomic Test #7 - Create a Process using WMI Query and an Encoded Command

Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand Where the –EncodedCommand, once decoded, would resemble: Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. Solarigate Analysis from Microsoft

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA