{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1047/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Management Instrumentation Command-line (WMIC) tool for reconnaissance activities within a network. Specifically, WMIC can be used to query and retrieve information about services running on remote systems. By executing WMIC commands with the \u0026lsquo;service\u0026rsquo; parameter, adversaries can identify the presence and status of specific services, potentially revealing vulnerable or misconfigured systems. This information can then be used to guide further exploitation attempts. WMIC is a built-in Windows utility, making its activity blend with legitimate system administration tasks, increasing the difficulty of detection. This activity is a component of the broader T1047 technique (Windows Management Instrumentation).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe from the command line.\u003c/li\u003e\n\u003cli\u003eWMIC.exe is invoked with the \u003ccode\u003eservice\u003c/code\u003e parameter to query service information.\u003c/li\u003e\n\u003cli\u003eThe command includes a target IP address or hostname to query a remote system.\u003c/li\u003e\n\u003cli\u003eThe command attempts to retrieve service names and status information (e.g., \u003ccode\u003ewmic /node:\u0026quot;192.168.1.100\u0026quot; service get name, state\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWMIC attempts to connect to the remote host via RPC. An error message is generated if the remote host is unreachable: \u0026ldquo;Node - (provided IP or default) ERROR Description =The RPC server is unavailable\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf the target service is not running, a \u0026ldquo;No instance(s) Available\u0026rdquo; message may be displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from WMIC to identify running services of interest for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful service reconnaissance allows attackers to map potential attack vectors within a network. By identifying specific services running on remote systems, attackers can prioritize targets for exploitation based on known vulnerabilities or misconfigurations. This can lead to unauthorized access, data breaches, and system compromise. While the reconnaissance itself does not directly cause harm, it provides crucial information that enables subsequent malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC Service Enumeration\u003c/code\u003e to your SIEM to identify potential service reconnaissance attempts via WMIC (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eWMIC.exe\u003c/code\u003e executions containing the \u003ccode\u003eservice\u003c/code\u003e parameter using endpoint detection and response (EDR) solutions (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of WMIC in your environment, as it is a common tool for both legitimate administration and malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wmic-service-recon/","summary":"Adversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.","title":"Service Reconnaissance via WMIC.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wmic-service-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047","attack.defense-evasion","attack.t1562.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage WMIC, a legitimate Windows command-line utility, to modify the startup type of services. This tactic is often used to disable security products or critical system services, hindering incident response or creating system instability. By setting services to \u0026ldquo;Manual\u0026rdquo; or \u0026ldquo;Disabled\u0026rdquo;, adversaries ensure that these services do not automatically start upon system boot, achieving persistence or impeding detection. While WMIC is a built-in tool, its use for modifying service startup types is often indicative of malicious activity, especially when performed on security-related services. This activity may be part of a larger attack chain aimed at deploying ransomware, exfiltrating data, or establishing a persistent presence on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e with specific command-line arguments to interact with Windows services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eservice\u003c/code\u003e alias is invoked within WMIC to target specific services.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eChangeStartMode\u003c/code\u003e method is used to modify the startup type of the targeted service.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the startup type to either \u003ccode\u003eManual\u003c/code\u003e or \u003ccode\u003eDisabled\u003c/code\u003e, preventing the service from automatically starting on subsequent reboots.\u003c/li\u003e\n\u003cli\u003eIf the targeted service is a security product, this action effectively disables the defense mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as deploying malware or exfiltrating sensitive data, with reduced resistance.\u003c/li\u003e\n\u003cli\u003eThe compromised system experiences degraded security posture and potential operational disruptions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service startup types can severely impact system security and availability. Disabling security software can lead to undetected malware infections and data breaches. Disabling critical system services can cause system instability, data loss, or complete system failure. While the exact number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting organizations of any size and in any sector. The impact ranges from minor operational disruptions to significant financial losses due to data breaches and ransomware attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious \u003ccode\u003ewmic.exe\u003c/code\u003e process creations that attempt to change service startup types.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ewmic.exe\u003c/code\u003e is used to modify service startup types, especially when the targeted services are related to security or critical system functions.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to provide enhanced visibility into process execution and system modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit service configurations to identify unauthorized changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmic-service-startup-change/","summary":"Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.","title":"Service Startup Type Modification via WMIC","url":"https://feed.craftedsignal.io/briefs/2024-01-wmic-service-startup-change/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1047","version":"https://jsonfeed.org/version/1.1"}