Lee Kirkpatrick

Detecting Lateral Movement in RSA NetWitness: WMI

Blog Post created by Lee Kirkpatrick Employee on Apr 9, 2019

Introduction

Lateral movement is a technique that enables an adversary to access and control remote systems on a network. It is a critical phase in any attack, and understanding the methods that can be used to perform lateral movement, along with how those protocols display themselves in NetWitness, is paramount in detecting attackers moving laterally in your environment. It is also important to understand that many of the mechanisms used by attackers for lateral movement, are also used by administrators for legitimate reasons, and thus why it is important to monitor these mechanisms to understand what is typical behaviour, and what is not.

 

What is WMI?

At a high level, Windows Management instrumentation (WMI) provides the ability to, locally or remotely, manage servers and workstations running Windows by allowing data collection, administration, and remote execution. WMI is Microsoft's implementation of the open standard, Web-Based Enterprise Management (WBEM) and Common Information Model (CIM), and comes preinstalled in Windows 2000 and newer Microsoft Operating Systems.

 

Tools

In this blog post, the Impackets implementation of WMIExec will be used. This sets up a semi-interactive shell for the attacker. WMI can be used for reconnaissance, privilege escalation (by looking for well-known misconfigurations), and lateral movement.

 

The Attack

The attacker has successfully gained access to your network and dumped credentials, all without any detection from your Security Operations Center (SOC). The attacker decides to move laterally using WMIExec, they connect to one of the hosts they had previously identified and begin to execute commands:

 

The Detection in NetWitness Packets

NetWitness Packets can easily identify WMI remote execution. All the analyst needs to do is open the Indicators of Compromise (IOC) meta key and look for wmi command:

 

Pivoting on the wmi command metadata, and opening the Action meta key, the analyst can observe the commands that were executed, as these are sent in clear text:

 

NOTE: Not all WMI commands are malicious. It is up to the analyst to understand what is normal behaviour within their environment, and what is not. The commands seen above are typical of WMIExec however, and should raise concern for the analyst.

 

The following screenshot is of the raw data itself. Here it is possible to see the parameter that was passed and subsequently registered under the action meta key:

 

Looking at the parameter passed, it is possible to see that WMIExec uses CMD to execute its command and output the result to a file (which is named the timestamp of execution) on the ADMIN$ share of the local system. The following screenshot shows an example of whoami being run, and the associated output file and contents on the remote host:

 

NOTE: This file is removed after it has been successfully read and displayed back to the attacker. Evidence of this file only exists on the system for a small amount of time.

 

We can get a better understanding of WMIExec's function from viewing the source code:

 

To detect WMIExec activity in NetWitness Packets, the following application rule logic could be created to detect it:

action contains'127.0.0.1\\admin$\\__1'

Lateral traffic is seldom captured by NetWitness Packets. More often than not, the focus of packet capture is placed on the ingress and egress points of the network, normally due to high volumes of core traffic that significantly increase costs for monitoring. This is why it is important to also have an endpoint detection product, such as NetWitness Endpoint to detect lateral movement.

 

The Detection in NetWitness Endpoint

A daily activity for the analyst should be to check the Indicators of Compromise (IOC), Behaviours of Compromise (BOC), and Enables of Compromise (EOC) meta keys. Upon doing so, the analyst would observe the following metadata, wmiprvse runs command shell:

 

Drilling into this metadata, and opening the Event Analysis view, it is possible to see the WMI Provider Service spawning CMD and executing commands:

 

To detect WMIExec activity in NetWitness Endpoint, the following application rule logic could be created to detect it:

param.dst contains '127.0.0.1\\admin$\\__1'

Conclusion

Understanding the Tools, Techniques, and Procedures (TTP's) used by attackers, coupled with understanding how NetWitness interprets those TTP's, is imperative in being able to identify them within your network. The NetWitness suite has great capabilities to pull apart network traffic and pick up on anomalies, which makes it easier for the analysts to hunt down and detect these threats.

 

WMI is a legitimate Microsoft tool that is used within environments by administrators, as well as by 3rd party products, it can therefore be difficult to differentiate normal from malicious, and why it is a popular tool for attackers. Performing Threat Hunting daily is an important activity for your analysts to build baselines and detect the anomalous usage from the normal activity.

Outcomes