The Black Basta ransomware-as-a-service (RaaS) group appeared in early 2022 and quickly evolved into one of the most-damaging ransomware groups of all time. It is composed of veteran Russian-speaking threat actors, several of whom had experience in other RaaS groups including the Conti gang. Black Basta adopted the same kind of professionalized ransomware model as Conti: The group hired experienced operators for specific tasks, such as running phishing sites, penetrating networks, encrypting malware, running call centers and negotiating ransoms. Black Basta kept detailed spreadsheets of organizations and employees that they wanted to target. The group had their own initial access malware and botnet to spread “loader malware,” which provided initial access to computers that then could be used to deliver follow-on malware. The group also exploited vulnerabilities and discussed how more than 70 common vulnerabilities and exposures (CVEs) could be used to break into organizations.
In February 2024, an unknown leaker released 197,000 internal chat messages from within the group, shedding light on how this gang operated on a day-to-day basis and the tactics, techniques and procedures (TTPs) it used to exploit its victims. Our analysts have been extracting TTPs from these messages and creating hunt packages for our HUNTER, Intel 471’s threat-hunting platform. HUNTER contains prewritten queries that can be used to hunt for threats in endpoint detection and response (EDR), security incident and event management (SIEM) and logging systems. HUNTER contains a collection of hunt packages based on Black Basta TTPs and this blog post will cover how to hunt for illegitimate use of a legitimate Windows binary.
Many attackers including Black Basta leverage living-off-the-land binaries, or LOLbins, which are native Windows operating system tools. These tools may be installed on systems already. By using a LOLbin to accomplish enumeration and reconnaissance, threat groups avoid installing more custom malware on machines that may have a greater chance of being flagged by security software.
One of the favored LOLbins is WMIC or the Windows Management Instrumentation (WMI) or WMIC, which is the command-line version. WMIC is a powerful tool. It can be used to find out information about local machines and remote systems or if a USB drive is plugged. It can be used to execute code remotely on machines, set up automated routines and run scripts. Ransomware groups use it for internal reconnaissance after they have gained initial access through a vector, such as tricking someone into clicking on a malicious attachment in an email. This reconnaissance gives ransomware operators insight into the structure of a network and its machines, as ransomware actors want to infect as many machines as possible. WMIC has been used in a range of attacks, including installation of Gootloader malware, Quantum ransomware and the IceID or Bokbot malware loader. Detecting WMIC enumeration and discovery commands may be a sign of intruders in the network and allow defenders to stop ransomware before it is deployed.
The use of WMIC poses a problem for threat hunting. The mere existence of WMIC isn’t enough to prove that something malicious is happening. Neither is evidence of WMIC activity, as the tool is used legitimately in organizations. Thus, we have to look for likely malicious ways this tool would be used by an attacker and isolate those behaviors from normal use.
Insight into how WMI has been used maliciously can be drawn from past forensic investigations into incidents. The threat-hunting package in HUNTER is called “WMIC Windows Internal Discovery and Enumeration.”
Threat-hunting packages in HUNTER contain the query logic, which is a simple description of the goal of the queries.
The query contains parameters aimed to trigger on the use of WMIC for discovery and enumeration. For example, values in the command-line arguments that contain “path” or “list” are parameters an adversary may use to discover information about a machine or an environment. This threat package contains hunt queries for CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Google SecOps, Microsoft Defender and Sentinel, Palo Alto XDR, QRadar Query, SentinelOne, SentinelOne Singularity, Splunk and Trend Micro Vision One.
Now, let’s put a query into action. Below is a query for Splunk that has ingested Windows System Monitor (sysmon) logs:
In this example, the query is time limited to activity that occurs within two minutes. If an adversary is firing several of these commands within two minutes, it could be a sign of a playbook-driven attack. Generally, if many commands are executed within a short amount of time, it likely is not human interaction. A high frequency of these types of commands also could come from a script that was launched right after the attackers gained initial access. A PowerShell script could run WMI commands and send the information to a remote server. However, this query’s time spam could be expanded, which may be required if no results are returned.
There also are the complexities around false positives and how to disambiguate those from potential malicious activity. That determination is different in every organization since the pattern of use of WMIC will be different. But as an example, if a query shows rapid WMIC use by a finance or human resources employee who has nothing to do with information technology, it could be a sign of misuse. The goal for threat hunters is to figure out the pattern-of-life in their environments to spot the outliers. This is where threat hunting gets difficult.
The results in the screenshot above show that within a two-minute window four unique commands were run. The attackers obtained operating system information, data about physical media, a serial number and IP addresses. Now where does the investigation go from here? WMIC returns information but it does not further the infection. One avenue is to take a step back and analyze the parent process. By looking at the parent process, it may be possible to figure out what spawned WMIC, such as a malicious attachment in a phishing email.
We hope this tutorial on threat hunting for WMIC abuse has been useful. A video version is available here. Be sure to register for a HUNTER Community Edition account, which contains free sample hunt packages, including the one described in this blog post. The account also will allow for insight into HUNTER’s comprehensive library of advanced threat-hunting packages, detailed analyst notes and proactive recommendations. These resources are designed to strengthen your threat-hunting capabilities and keep your organization secure. Happy hunting!
