operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Is my host protected against SharpWMI?

This chain will stage a SharpWMI binary from Operator and use it to enumerate the local system, it's environment, finally performs firewall configuration enumeration.

2023-01-17

/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:gerbsec

Is my host protected against SharpWMI?

SharpWMI is an open-source implementation of various functionality found in Windows Management Instrumentation (WMI). WMI is a powerful Windows-native framework used for systems and data administration. The abuse of WMI functionality by adversaries is well-documented - WMI is listed in the MITRE ATT&CK framework with many references to it's use by state-sponsored actors.

SharpWMI enables a user to perform WMI actions without using native WMI tooling. By avoiding the use of built-in WMI tooling, signature and heuristic based detection content designed to catch suspicious usage of WMI may not detect SharpWMI, even though they work in functionally similar ways. With SharpWMI, it's possible to perform WMI queries, execute code, enumerate systems and system information, and create processes.

SharpWMI is available for download in GhostPack.

Testing

Execute Is my host protected against SharpWMI? in Operator on each host in your environment to test if you are vulnerable.

This chain will stage a SharpWMI binary from Operator and use it to enumerate the local system, its environment, and finally performs firewall configuration enumeration.

Remediation

Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block persistence through WMI event subscription. These rules currently apply to WMI and PsExec processes, but will not prevent the use of SharpWMI or other tools that implement WMI functionality.
SharpWMI may be detected by monitoring network traffic for WMI connections.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Enumerate Local system with SharpWMI
Enumerate system environment with SharpWMI
Enumerate firewall with SharpWMI

Tactics

About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.