MITRE ATT&CK Mondays is an ongoing series of articles on adversary tactics and techniques listed on the MITRE ATT&CK framework. We will focus on one technique per week, discuss what it is, what it looks like in the wild, possible future applications, and how to defend and protect your network.
WMI — Windows Management Instrumentation — has been around as a foundational Windows administration mechanism since Windows NT, so it isn’t exactly a new tool for hackers to abuse. Its main legitimate purpose is to allow programmatic management of Windows personal computers and servers, so an admin could write, say a Powershell script, to edit the registry or even manage the temperature of an endpoint, or do any other number of administrative actions.
Whether Microsoft has intended it or not, WMI has become the de facto management layer for any large windows deployment, which means that many organizations rely on it for day-to-day management, making it near impossible to disable. It can be used locally, such as with a command-line tool like wmic, or remotely through SMB or the remote procedure call service, making it a key tool for legit admins to manage large sites and for hackers using living off the land techniques to do their nefarious deeds with a lower the chance of detection.
Later we will cover WMI’s other classification in the MITRE ATT&CK framework: WMI Event Subscription, which is under the persistence tactic.
Although it is classified in the MITRE ATT&CK framework as Enterprise Technique T1047 “Windows Management Instrumentation” under the execution tactic, it can be used in multiple stages of the attack such as persistence or discovery, which is apparent from its abuse in the wild: BlackEnergy 2 malware and the FLEXIROOT backdoor use it for discovery, while groups like Deep Panda (possibly APT19) and Soft Cell use it for lateral movement. It was even abused by WannaCry to delete shadow copies — that’s right, this common system management tool was used to destroy backups making the ransomware all the more potent.
We should expect to see continued and growing use of WMI abuse due to the continued automation of hacker tools and groups (like its recent use in the latest Emotet), and because it just makes sense for hackers: it’s universal among modern Windows systems (ex: nearly every Windows machine with an open port 445 is running it), it’s automatable, and it can be difficult to detect.
Detecting malicious use of WMI is no easy task, which makes it frustrating because of its ubiquity. Luckily our CyCarrier AIR platform specializes in catching abnormal and malicious system behavior like WMI abuse: we analyze multiple levels of forensic data across your enterprise to connect the dots and make even the subtlest attacks visible and show their complete storylines, saving you the headache.
Writer: CyCraft
CyCraft is a cybersecurity company founded in 2017, focusing on autonomous AI technology. Headquartered in Taiwan, it has subsidiaries in Japan and Singapore. CyCraft provides professional cybersecurity services to government agencies, police and defense forces, banks, and high-tech manufacturers throughout the Asia-Pacific region. It has received strong backing from the CID Group and Pavilion Capital, a Temasek Holdings Private Limited subsidiary.