SharpWMI enables a user to perform WMI actions without using native WMI tooling. By avoiding the use of built-in WMI tooling, signature and heuristic based detection content designed to catch suspicious usage of WMI may not detect SharpWMI, even though they work in functionally similar ways. With SharpWMI, it's possible to perform WMI queries, execute code, enumerate systems and system information, and create processes.
SharpWMI is available for download in GhostPack.
Is my host protected against SharpWMI? in Operator on each host in your environment to test if you are vulnerable.
This chain will stage a SharpWMI binary from Operator and use it to enumerate the local system, its environment, and finally performs firewall configuration enumeration.
Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block persistence through WMI event subscription. These rules currently apply to WMI and PsExec processes, but will not prevent the use of SharpWMI or other tools that implement WMI functionality.
SharpWMI may be detected by monitoring network traffic for WMI connections.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg