![]() However, the option to run as a particular user is also available with the /U and /P switches for user and password respectively. ![]() This can be used to run under the system context, which is a high privilege on the host. Schtasks is often run with the /RU switch to define what context to run the task under. Example usage of creating or registering, running, then deleting a task is provided below: schtasks /s /RU "SYSTEM" /create /tn "" /tr "" /sc ONCE /sd /st 00:00įigure 2: Sanitized schtasks example found in Conti leaks. While a limited selection of third-party tools exists for Scheduled Tasks, calling the schtasks.exe application directly is the predominant method for adversaries. Specifically, a task needs to be created or registered, then run and “cleaned up” (deleted) if the attacker wants to remove obvious traces of activity. Scheduled Tasks use is similar but more elaborate due to the nature of Scheduled Tasks. Wmic will run under the current user context unless the /USER and /PASSWORD switches are used. The /node switch allows targeting of a remote host, and the process class with the call verb for the create method allows for the execution of the passed command. Below is an example of WMI use with wmic.exe: wmic /node: process call create ""įigure 1: Remote command execution wmic usage example. In some instances, instead of a payload, a command such as a PowerShell “one-liner” is used to initiate the connection to attacker C2. Irrespective of the tool used to execute WMI, adversaries seek to execute a payload on the remote host, typically an executable or script created by the attacker that initiates a connection to command and control (C2) infrastructure. ATR research finds that regardless of the tool, the functionality over the network tends to remain the same. WMI is often used by calling the wmic.exe binary directly however, several tools exist for offensive use of WMI, such as Invoke-WMIexec, WMIexec.py, SharpWMI, and the built-in WMI functions for frameworks like Cobalt Strike. When looking at how threat actors are using these tools in lateral movement, we see that it’s primarily an execution method, with the item being executed varying. Industry reporting on APT41 and Dark Halo indicate use of WMI and Scheduled Tasks, respectively, for lateral movement. In the case of ransomware, recent leaks from the Conti ransomware affiliates identify both WMI and Scheduled Tasks used for lateral movement. We can see from existing industry research that the use of WMI and Scheduled Tasks is common across a range of threat actors, from ransomware to advanced persistent threats (APTs). Given their accessibility, ability to blend in with benign activity, and flexibility, WMI and Scheduled Tasks make for effective go-to tools for lateral movement by adversaries. To demonstrate the volume of such activity, Gigamon ATR observes hundreds of thousands (for Scheduled Tasks) or millions (for WMI) of monitored events per day across environments.įinally, both tools offer flexibility of use, allowing for credentials to be passed, to be run under specific user contexts, or executed with user-defined commands. WMI and Scheduled Tasks are also commonly used by administrators and third-party vendor solutions (such as configuration management or system monitoring) that generate significant traffic in the environment and allow adversary activity to blend in with “normal” operations. These are programs or scripts that an adversary can, with relatively high reliability, expect to be present on a Windows-based system. Finally, we’ll explore questions to consider when detecting and investigating these intrusions over the network.Īs with several other tools, WMI (wmic.exe) and Scheduled Tasks (schtasks.exe) executables are part of a collection of binaries often referred to as LOLBINS, or Living off the Land Binaries and Scripts. ![]() We’ll look at WMI and Scheduled Tasks individually to discuss why, how, and what type of adversaries use them for lateral movement. Attackers use a variety of methods for lateral movement, but this post will focus on those using Windows Management Instrumentation (WMI) and Scheduled Tasks.īoth WMI and Scheduled Tasks play the same role in a lateral movement operation: They provide a means of execution on a remote system over the network. Once an adversary gains access to a victim environment, their natural progression will be to move laterally to other hosts of interest, getting ever closer to the ultimate objectives. Lateral movement is a necessary step early in the attack lifecycle of any successful breach.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |