CircleCI Atomic Red Team doc generator
88 lines
2.3 KiB
Markdown
88 lines
2.3 KiB
Markdown
# T1047 - Windows Management Instrumentation
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
|
|
<blockquote>Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
|
|
|
|
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - WMI Reconnaissance Users](#atomic-test-1---wmi-reconnaissance-users)
|
|
|
|
- [Atomic Test #2 - WMI Reconnaissance Processes](#atomic-test-2---wmi-reconnaissance-processes)
|
|
|
|
- [Atomic Test #3 - WMI Reconnaissance Software](#atomic-test-3---wmi-reconnaissance-software)
|
|
|
|
- [Atomic Test #4 - WMI Reconnaissance List Remote Services](#atomic-test-4---wmi-reconnaissance-list-remote-services)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - WMI Reconnaissance Users
|
|
WMI List User Accounts
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
wmic useraccount get /ALL
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - WMI Reconnaissance Processes
|
|
WMI List Processes
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
wmic process get caption,executablepath,commandline
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - WMI Reconnaissance Software
|
|
WMI List Software
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
wmic qfe get description,installedOn /format:csv
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - WMI Reconnaissance List Remote Services
|
|
WMI List Remote Services
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| node | Ip Address | String | 192.168.0.1|
|
|
| service_search_string | Name Of Service | String | sql server|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
|
|
```
|
|
|
|
|
|
|
|
<br/>
|