T1047 Windows Management Instrumentation of the MITRE ATT&CK Framework

Windows Management Instrumentation (WMI) is the infrastructure for managing data and operations on Windows-based operating systems. Adversaries abuse the extensive capabilities of WMI to execute malicious commands and payloads in compromised Windows hosts. The WMI service also gives adversaries local and remote access. 

The versatility of WMI makes the Windows Management Instrumentation [T1047] the ninth most frequently used MITRE ATT&CK technique in the Red Report 2024.

The Red Report 2024 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries DOWNLOAD NOW

Adversary Use of Windows Management Instrumentation

The Windows Management Instrumentation (WMI) is an integral administrative feature natively available in Windows operating systems. Existing since the era of Windows NT, WMI and its command-line interface (WMIC) have been primary interaction tools until Windows 10 version 21H1. Given its longstanding availability, WMIC became a frequent tool in attack campaigns by adversaries. While PowerShell has now overtaken WMIC in newer Windows versions for WMI tasks, many hosts globally continue to operate on older Windows versions, making WMIC-based malicious payloads prevalent in cyber threats.

In the MITRE ATT&CK framework, the WMI technique does not specify any sub-techniques. Nonetheless, adversaries exploit WMI's extensive access to various operating system functions for command execution, defense evasion, discovery, and lateral movement. The ways in which adversaries employ WMI in their attack strategies are varied and multifaceted. Below are some illustrative examples of this usage.

1. System and Information Discovery

PowerShell's Get-WmiObject cmdlet can be used to obtain information about WMI classes from local or remote hosts. Adversaries use the Get-WmiObject cmdlet to gather information about compromised hosts or other hosts in a compromised network.

For example, as disclosed by CISA in December 2023, the Russian Foreign Intelligence Service (SRV) used the following PowerShell command to retrieve information about the services running on a specified remote computer using WMI [1].

WMIC itself can be used for system information discovery, too. For instance, in May 2023, as disclosed by CISA's cybersecurity advisory (AA23-144A) on the China-based stated sponsored APT group Volt Typhoon [2], adversaries run the following wmic command to gather information about local drives. 

This query lists all logical disks (such as hard drives, USB drives, etc.) along with their file system type (like NTFS or FAT32), available free space, total size, and volume name. 

By executing this command, adversaries can efficiently assess the storage resources and data organization of the system, which could aid in planning further malicious activities such as data theft, identifying locations for data exfiltration, or determining where to deploy payloads without arousing suspicion due to space constraints.

It is also essential to recognize the versatility with which adversaries can access information about WMI classes. They can employ various methods to retrieve the same data, underscoring the need for organizations to consider these different approaches when setting up their security monitoring and detection controls. 

For example, the three methods below, though different in approach, yield the same information about WMI classes:

2. Credential Harvesting and Privilege Escalation

Volume Shadow Copies in Windows are designed to provide backups of both system and user files, facilitating data restoration. Adversaries, however, exploit this feature by using WMI to create and access these copies, particularly targeting sensitive files like NTDS.dit, SYSTEM, and SECURITY. These files are crucial as they contain critical information related to user credentials and system security.

A notable instance of such exploitation was detailed in May 2023, in a CISA cybersecurity advisory concerning the Volt Typhoon APT group [38]. The adversaries executed WMIC commands to initiate processes with ntdsutil.exe, a tool intended for managing Active Directory databases. These commands were engineered to create a Volume Shadow Copy and extract copies of the ntds.dit database and the SYSTEM and SECURITY registry hives. 

Notably, the syntax and file paths in these commands were adapted to suit different system environments, but all aimed to replicate these sensitive files. 

Some example commands are as follows.

This method effectively circumvents the standard access restrictions imposed on files like ntds.dit, which is typically locked for security while Active Directory is using it. By securing these files, the attackers could access a wealth of sensitive data, including password hashes, thereby posing a significant threat to the security of the entire domain.

3. Establishing Persistence

The COR_PROFILER environment variable enables developers to specify an unmanaged or external profiler DLL that loads into every .NET process that initiates the Common Language Runtime (CLR). To simplify, when COR_ENABLE_PROFILING is set to 1, the DLL designated by COR_PROFILER is loaded each time a process initiates the CLR. Adversaries can exploit this feature to execute their malicious DLLs, establishing persistence on the infected host. 

An example of this is the Blue Mockingbird cryptominer malware, which manipulates COR_PROFILER to direct to its payload DLL. As a result, whenever a process invokes the CLR, the infected host loads this DLL, thereby maintaining persistence [3]. Below is a breakdown of this attack flow.

Step 1: The attacker begins by removing any existing COR_PROFILER variable.

Step 2: The attacker then creates a COR_ENABLE_PROFILING variable and sets its value to 1.

Step 3: With COR_ENABLE_PROFILING set to 1, the attacker proceeds to create a new COR_PROFILER variable.

Step 4: The final step for the attacker is to add registry keys associated with the malicious DLL.

This sequence of actions establishes the necessary environment and registry settings for the malicious DLL to be loaded, exploiting the COR_PROFILER feature in .NET environments.

4. Lateral Movement

WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host:

For example, as disclosed by CISA's cybersecurity advisory, which was released in December 2023 [4], the Russian Foreign Intelligence Service (SVR) ran the following command on their victim's system.

References

[1] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

[2]“People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a

[3]T. Lambert, “Blue Mockingbird activity mines Monero cryptocurrency,” Red Canary, May 07, 2020.  https://redcanary.com/blog/blue-mockingbird-cryptominer/

[4] “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” Cybersecurity and Infrastructure Security Agency CISA.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

RELATED RESOURCES