Attack technique
Technique name: WMIExec Malicious Execution & Quiet Execution Patterns
MITRE ATT&CK
- Tactic: Lateral Movement, Execution
- Technique: Windows Management Instrumentation, Remote Services
Technique description
Impacket includes different tools that provide the capability to conveniently work with different network protocols.
One of the tools included in this set of tools is WMIExec, which can be used for remote execution/lateral movement, and is based on Windows native protocols (RPC, WMI).
Attackers, extensively use the impacket tools, specifically WMIExec (and DCOMExec, SMBExec) as part of malware distribution and lateral movement purposes.
Detection of usage of the tools mentioned above can be useful for the identification of both real attacks and penetration testing/Red team assessments.
The usage of WMIExec and other tools utilizing the quiet execution patterns have been observed many times in the wild, and its characteristics tend to include some repetitive patterns including the following:
- WMIExec Only - Execution of cmd.exe under the context of WmiPrvSe.exe, where the command line of cmd.exe follows a pattern that includes specific flags, a path that includes “ADMIN$”, and a file name that represents the EPOCH time.
- In the wild example - WMIExec (DFIR Report):
cmd.exe /Q /c expand cache.cab -F:* c:\programdata 1> \\127.0.0.1\ADMIN$\____REDACTED 2>&1
- In the wild example - WMIExec (DFIR Report):
- Multiple Impacket Tools including WMIExec, DCOMExec, SMBExec - Execution of cmd.exe with the “/Q“ (Echo Off flag) as part of the command line, when the parent process of cmd.exe is one of the following: WmiPrvSe.exe, Services.exe, mmc.exe).
- Note: There are additional methods to use the tools mentioned above. For example, mmc.exe doesn’t have to be the parent process in the case of DCOMExec usage. We looked at this specific case, because it is the most known option.
- In the wild example -
WMIExec (DFIR Report): cmd.exe /Q /c m2.exe 1> \\127.0.0.1\ADMIN$\____REDACTED 2>&1
References
Here are multiple data sources related to the malicious usage of relevant Impacket tools:
- DFIR Report A: https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
- DFIR Report B: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
- Red Canary: https://redcanary.com/threat-detection-report/threats/impacket/
Threat hunting theses breakdown
In this Threat Hunting campaign, we focused on WMIExec usage, since it is very prevalent as part of real attacks. However, we also looked at characteristics that might identify usage of other impacket tools like Smbexec, and DCOMexec.
We used one SQL query to hunt against both patterns/characteristics mentioned above, but we will explain them separately in the following theses breakdown section:
Thesis A: Identification of WMIExec.py command-line characteristics combined with relevant process’ parent-child relationship (victim host)
Relevant data sources:
- Main data source: EDR Logs
- Complementary data sources: -
Thesis explanation
In this hunting thesis, we looked for executions of cmd.exe process as a child process of WmiPrvSe.exe, where the cmd.exe execution command line includes
- Specific flags known to be used when using the tool
- ADMIN$ as part of the mentioned path
- EPOCH timestamp pattern as part of the mentioned file name
- and the redirection of errors to standard output (2>&1).
All of the above are characteristics of normal WMIExec.py execution.
Blind spots
- Cases in which the attacker modified the tool to exclude some of the command line patterns used as part of WMIExec.py usage.
Thesis B: Usage of quiet execution pattern combined with relevant process’ parent-child relationship (victim host)
Relevant data sources:
- Main data source: EDR Logs
- Complementary data sources: -
Thesis explanation
In this hunting thesis, we looked for executions of cmd.exe process as a child process of WmiPrvSe.exe, Services.exe, or mmc.exe, where the cmd.exe execution command line includes the “/Q” flag. This flag turns the echo off, and is being used by different Impacket tools, including WMIExec, DCOMExec, and Smbexec, and can also be useful to identify other malicious activities that are not related to Impacket.
Blind spots
- Usage of DCOMExec with a COM Object which is not MMC20.
Recommended investigation flow
When identifying a command line pattern that is relevant to WMIExec we can look at multiple things to make sure it is a TP and/or investigate it:
- What were the commands that had been executed using the cmd.exe process?
- Map the activities conducted by the attacker. What can it tell you about the attacker’s intentions? (focus on credentials dumping, persistence configurations, data collection/exfiltration, etc.)
- What was the source host from which the RPC incoming network connection (port 135) had been initiated from → it can be a great way to investigate the lateral movement conducted using WMIExec.
- Which user initiated the incoming RPC network connection toward the victim host
- After identifying the user account, it is worth investigating the logons conducted by this user account hours/days before the activity (identification of other impacted devices).
- Are there any other characteristics related to this user account that might indicate malicious activity (EDR Alerts, suspicious executions, suspicious DNS Requests, etc.)
- Look for potential lateral movement from the identified victim host. Were there any outgoing connections originating from this host using known management ports (445, 3389, 135, 5985, etc.)
Threat hunting queries
The following link includes threat-hunting queries used to hunt against WMIExec and quiet execution pattern characteristics.
Team Axon used this query (or similar ones) as part of the threat-hunting campaign (with timeframe adjustments).
- Hunting Query A - Identification of WMIExec execution and quiet execution patterns: https://gist.github.com/axon-git/a95dc53538f1971c07842e721ab7e73e