Service Reconnaissance via WMIC.exe

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

Attackers may leverage the Windows Management Instrumentation Command-line (WMIC) tool for reconnaissance activities within a network. Specifically, WMIC can be used to query and retrieve information about services running on remote systems. By executing WMIC commands with the ‘service’ parameter, adversaries can identify the presence and status of specific services, potentially revealing vulnerable or misconfigured systems. This information can then be used to guide further exploitation attempts. WMIC is a built-in Windows utility, making its activity blend with legitimate system administration tasks, increasing the difficulty of detection. This activity is a component of the broader T1047 technique (Windows Management Instrumentation).

Attack Chain

The attacker gains initial access to a compromised system within the target network.
The attacker executes WMIC.exe from the command line.
WMIC.exe is invoked with the service parameter to query service information.
The command includes a target IP address or hostname to query a remote system.
The command attempts to retrieve service names and status information (e.g., wmic /node:"192.168.1.100" service get name, state).
WMIC attempts to connect to the remote host via RPC. An error message is generated if the remote host is unreachable: “Node - (provided IP or default) ERROR Description =The RPC server is unavailable”.
If the target service is not running, a “No instance(s) Available” message may be displayed.
The attacker parses the output from WMIC to identify running services of interest for further exploitation or lateral movement.

Impact

Successful service reconnaissance allows attackers to map potential attack vectors within a network. By identifying specific services running on remote systems, attackers can prioritize targets for exploitation based on known vulnerabilities or misconfigurations. This can lead to unauthorized access, data breaches, and system compromise. While the reconnaissance itself does not directly cause harm, it provides crucial information that enables subsequent malicious activities.

Recommendation

Deploy the Sigma rule Detect Suspicious WMIC Service Enumeration to your SIEM to identify potential service reconnaissance attempts via WMIC (logsource: process_creation, product: windows).
Monitor process creation events for WMIC.exe executions containing the service parameter using endpoint detection and response (EDR) solutions (logsource: process_creation, product: windows).
Implement network segmentation to limit the scope of potential reconnaissance activities.
Review and restrict the use of WMIC in your environment, as it is a common tool for both legitimate administration and malicious activity.

Service Startup Type Modification via WMIC

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may leverage WMIC, a legitimate Windows command-line utility, to modify the startup type of services. This tactic is often used to disable security products or critical system services, hindering incident response or creating system instability. By setting services to “Manual” or “Disabled”, adversaries ensure that these services do not automatically start upon system boot, achieving persistence or impeding detection. While WMIC is a built-in tool, its use for modifying service startup types is often indicative of malicious activity, especially when performed on security-related services. This activity may be part of a larger attack chain aimed at deploying ransomware, exfiltrating data, or establishing a persistent presence on the compromised system.

Attack Chain

An attacker gains initial access to the target system, potentially through phishing, exploiting a vulnerability, or compromised credentials.
The attacker executes wmic.exe with specific command-line arguments to interact with Windows services.
The service alias is invoked within WMIC to target specific services.
The ChangeStartMode method is used to modify the startup type of the targeted service.
The attacker sets the startup type to either Manual or Disabled, preventing the service from automatically starting on subsequent reboots.
If the targeted service is a security product, this action effectively disables the defense mechanism.
The attacker proceeds with further malicious activities, such as deploying malware or exfiltrating sensitive data, with reduced resistance.
The compromised system experiences degraded security posture and potential operational disruptions.

Impact

Successful modification of service startup types can severely impact system security and availability. Disabling security software can lead to undetected malware infections and data breaches. Disabling critical system services can cause system instability, data loss, or complete system failure. While the exact number of victims is unknown, this technique is broadly applicable across Windows environments, potentially affecting organizations of any size and in any sector. The impact ranges from minor operational disruptions to significant financial losses due to data breaches and ransomware attacks.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect suspicious wmic.exe process creations that attempt to change service startup types.
Investigate any instances where wmic.exe is used to modify service startup types, especially when the targeted services are related to security or critical system functions.
Implement endpoint detection and response (EDR) solutions to provide enhanced visibility into process execution and system modifications.
Regularly review and audit service configurations to identify unauthorized changes.

Attack.t1047 — CraftedSignal Threat Feed

Service Reconnaissance via WMIC.exe

Attack Chain

Impact

Recommendation

Service Startup Type Modification via WMIC

Attack Chain

Impact

Recommendation