security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1047/T1047.md
T
caseysmithrc 27a26d584b T1047
2018-05-23 20:47:53 -06:00

2.9 KiB
Raw Blame History

T1047 - Windows Management Instrumentation

Description from ATT&CK

Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)

Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)

Platforms: Windows

Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring

Permissions Required: User, Administrator

System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication.

Remote Support: Yes

Atomic Tests


Atomic Test #1 - WMI Reconnaissance Users

WMI List User Accounts

Supported Platforms: Windows

Run it with command_prompt!

wmic useraccount get /ALL


Atomic Test #2 - WMI Reconnaissance Processes

WMI List Processes

Supported Platforms: Windows

Run it with command_prompt!

wmic process get caption,executablepath,commandline


Atomic Test #3 - WMI Reconnaissance Software

WMI List Software

Supported Platforms: Windows

Run it with command_prompt!

wmic qfe get description,installedOn /format:csv


Atomic Test #4 - WMI Reconnaissance List Remote Services

WMI List Remote Services

Supported Platforms: Windows

Inputs

Name Description Type Default Value
node Ip Address String 192.168.0.1
service_search_string Name Of Service String sql server

Run it with command_prompt!

wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")

Reference in New Issue View Git Blame Copy Permalink