T1047 Windows Management
Author: Stefan Waldvogel
LimaCharlie vs. Windows management tool
Overview:
Description from ATT&CK
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1047 -ShowDetailsBrief
Invoke-AtomicTest T1047 -CheckPrereqs
Invoke-AtomicTest T1047 -GetPrereqs
Invoke-AtomicTest T1047
Invoke-AtomicTest T1047 -Cleanup
Contains 8 subtests
Changes:
Limitations:
Result:
Invoke-AtomicTest T1047 -TestNumbers 1, sigma, XSL Script Processing, Local Accounts Discovery
Invoke-AtomicTest T1047 -TestNumbers 2 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 3 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 4 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 5 not detected
Invoke-AtomicTest T1047 -TestNumbers 6 no valid user creds, sigma, still detected as Suspicious WMI Execution
Invoke-AtomicTest T107 -TestNumbers 7 soteria, 00014-WIN-Encoded_Powershell
Invoke-AtomicTest T1047 -TestNumbers 8 sigma, powershell detected
Thoughts:
Test 5 is:
wmic process call create #{process_to_execute}
It is possible to log process creation with:
auditpol /set /subcategory:"Process Creation" /Success:Enable /Failure:Enable
The event viewer should now show the Event ID 4688. Now, create a rule for this event.
Disadvantage: Huge log file, a ton of false positives.
Description from ATT&CK
Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1047 -ShowDetailsBrief
Invoke-AtomicTest T1047 -CheckPrereqs
Invoke-AtomicTest T1047 -GetPrereqs
Invoke-AtomicTest T1047
Invoke-AtomicTest T1047 -Cleanup
Contains 8 subtests
Changes:
Limitations:
Result:
Invoke-AtomicTest T1047 -TestNumbers 1, sigma, XSL Script Processing, Local Accounts Discovery
Invoke-AtomicTest T1047 -TestNumbers 2 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 3 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 4 sigma, XSL Script Processing
Invoke-AtomicTest T1047 -TestNumbers 5 not detected
Invoke-AtomicTest T1047 -TestNumbers 6 no valid user creds, sigma, still detected as Suspicious WMI Execution
Invoke-AtomicTest T107 -TestNumbers 7 soteria, 00014-WIN-Encoded_Powershell
Invoke-AtomicTest T1047 -TestNumbers 8 sigma, powershell detected
Thoughts:
Test 5 is:
wmic process call create #{process_to_execute}
It is possible to log process creation with:
auditpol /set /subcategory:"Process Creation" /Success:Enable /Failure:Enable
The event viewer should now show the Event ID 4688. Now, create a rule for this event.
Disadvantage: Huge log file, a ton of false positives.
Disable process creation logging:
auditpol /set /subcategory:"Process Creation" /Success:Disable /Failure:Disable
Conclusion
Logging process creation is simple, but not practical.
auditpol /set /subcategory:"Process Creation" /Success:Disable /Failure:Disable
Conclusion
Logging process creation is simple, but not practical.
© 2021. This work is licensed under a CC BY-SA 4.0 license