PowerShell and WMIC are both built-in Windows utilities that can be used to administer local and remote systems via Windows Management Instrumentation. The WMIC utility is deprecated as of Windows Server 2012 R2 and use of PowerShell cmdlets is actively encouraged. Attempting to use PowerShell to execute WMI operations using the WMIC utility is actively discouraged and very unlikely to be observed in production environments. Log activity relating to the execution of the deprecated WMIC utility via PowerShell is sufficiently unorthodox to warrant further investigation for potentially malicious activity.
- An attacker gains a foothold on a server via an undisclosed vulnerability.
- The attacker uses PowerShell to execute WMIC commands on a remote host.
- The remote host returns the output of the executed commands.
The attacker requires permissions on the remote host to execute commands.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.