Introduction:
In the complex landscape of Windows operating systems, one technology has stood the test of time—Windows Management Instrumentation (WMI). Developed by Microsoft as an implementation of the WBEM standard. Initially designed to aid administrators in managing large, distributed environments, WMI has evolved to become a double-edged sword, with both defenders and attackers leveraging its capabilities.
Understanding WMI: More Than Just Configuration
WMI provides administrators with access to nearly 4,000 configurable items, covering everything from system details to CPU fan management. Traditionally accessed through tools like WMIC.exe, WMI has, in recent times, found a more versatile companion in PowerShell. However, this evolution has not gone unnoticed by attackers, who now interchangeably use both portals for their activities.
WMI in the Attack Arsenal:
Attackers find WMI particularly appealing for its ability to execute a wide range of actions with minimal logging. It requires administrative rights, making it a potent post-exploitation tool. WMI operates with trusted, signed binaries, and any scripts utilized can be easily obfuscated to avoid detection. Moreover, it predominantly operates as "memory only," using standard DCOM/PSRemoting traffic on the network, making it blend seamlessly into the noise.
Mitre ATT&CK Framework:
WMI's prominence in modern adversary toolsets is evident in its entry in the Mitre ATT&CK framework. Nearly every advanced adversary group incorporates WMI into their toolkit, necessitating a deeper understanding for defenders to detect and mitigate its usage effectively.
WMI in Action: Commands and Use Cases
Reconnaissance:
In its simplest form, WMI serves as an excellent tool for reconnaissance during an attack. Commands like those below are often executed shortly after initial exploitation:
# List Processes with Details
wmic process get CSName,Description,ExecutablePath,ProcessId
# List User Accounts with Full Details
wmic useraccount list full
# List Groups with Full Details
wmic group list full
# List Network Connections
wmic netuse list full
# List Installed Hotfixes and Updates
wmic qfe get Caption,Description,HotFixID,InstalledOn
# List Startup Programs
wmic startup get Caption,Command,Location,User
Identifying malicious behavior can be challenging due to the innocuous nature of many WMI recon commands. However, specific command sequences may reveal an attacker's unique patterns.
Privilege Escalation:
One of the most effective tools for privilege escalation in the wild is the script "PowerUp.ps1". Leveraging WMI, it queries over twenty common misconfigurations, as demonstrated in the examples below:
# find unquoted services set to auto-start
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v"C:\Windows\\" |findstr /i /v"""
# find highly privileged processes that can be attacked
$Owners = @{}Get-WmiObject -Class win32_process | Where-Object {$_} | ForEach-Object{$Owners[$_.handle] = $_.getowner().user}
# find all paths to service .exe's that have a space in the path and aren't quoted
$VulnServices = Get-WmiObject -Class win32_service | Where-Object {$_}
| Where-Object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | Where-Object {-not $_.pathname.StartsWith("'"")}
Malware Attacks: (Example NotPetya)
Malware, including NotPetya, has capitalized on WMI's capabilities for its operations. NotPetya uses WMI for code execution and spreading to remote shares. The command "wmic process call create" is employed for both local and remote execution, showcasing WMI's role in advanced malware attacks.
WMI Eventing and Persistence: A Stealthy Backdoor
WMI's potential as a persistence mechanism is often overlooked but highly significant. Attackers exploit WMI Event Consumers to create backdoors that operate with SYSTEM privileges. This involves creating event filters, adding event consumers, and tying them together via bindings. This persistence technique poses a significant challenge for organizations to detect without the proper tools.
1 Event Filter -> Trigger condition
2. Event Consumer -> Script or executable to run
3. Binding -> Tie together Filter + ConsumerThe Three Steps of WMI Eventing:
Event Filter Creation: An event filter must be created describing a specific trigger to detect (e.g., trigger every twenty seconds).
Event Consumer Addition: An event consumer is added to the system with a script and/or executable to run (e.g., run a PowerShell script to beacon to a command and control server).
Binding: The event and consumer are tied together via a binding, and the persistence mechanism is loaded into the WMI repository.
Real-World Examples: Stuxnet
Stuxnet, a notorious example of a sophisticated attack, utilized WMI for persistence. It employed a zero-day vulnerability in the print spooler to transfer files, including a .MOF file. This .MOF file auto-compiled to create a WMI event filter and consumer for immediate execution, highlighting the real-world implications of WMI-based attacks.
This type of attack is not theoretical. Stuxnet was perhaps the first sample in the wild to use the attack. It used a zero-day vulnerability in the print spooler (MS10-061) to allow the transfer of two files to remote systems—an .EXE and a .MOF file. The .MOF file was auto-compiled by the system, creating a WMI event filter and consumer to immediately execute the .exe file.
Conclusion:
Windows Management Instrumentation, initially a boon for administrators, has become a potent tool in the hands of attackers. Understanding its capabilities and potential security implications is crucial for modern cybersecurity. Defenders must equip themselves with the knowledge to detect and mitigate WMI-based attacks effectively, ensuring the resilience of their systems in the face of evolving threats.
In the ever-changing landscape of cybersecurity, staying one step ahead requires a comprehensive understanding of tools like WMI. As we delve deeper into the intricacies of Windows systems, let this exploration of WMI serve as a guide to fortify our defenses against the stealthy maneuvers of modern adversaries.
Akash Patel
Comments