- WMI Spreader Analysis
- Network Service Account
- Share file copy
- WMI COM Interface
HermeticWizard is started using the command line
regsvr32.exe /s /i <path>.
In the resources of HermeticWizard are two spreader components, a WMI spreader, and an SMB spreader.
The WMI spreader is a stand-alone untility that is used to copy files to remote shares and execute them. The spreader is excuted via HermeticWizard using the following example command line.
rundll32 <spreader path> #1 -s <path to HermeticWizard> – i <target IP>
The spreader accepts the following command line arguments:
spath to the file to copy
iremote host IP
hoptional remote share path (*not confirmed)
aoptional brute force share password (*not confirmed)
coptional brute force share domain username password list (*not confirmed)
The spreader checks to see if it has local admin priviledges. If it has local admin it attempts to impersonate the
Network Service service account.
Limited service account that is meant to run standard privileged services. This account is > far more limited than Local System (or even Administrator) but still has the right to access the network as the machine (see caveat above).
- NT AUTHORITY\NetworkService
- the account has no password (any password information you provide is ignored)
- HKCU represents the NetworkService user account
- has minimal privileges on the local computer
- presents the computer's credentials to remote servers
- SID:S-1-5-20> - has its own profile under the HKEY_USERS registry key (HKEY_USERSS-1-5-20)
- If trying to schedule a task using it, enter NETWORK SERVICE into the Select User or Group > dialog
The spreader attempts to authenticate to the ADMIN$ remote share. If a password list is supplied on the command line the share authentication is brute forced. Once authenticated the files are copied to the share.
For programatic access to WMI the wiper uses COM.
Connection to remote host via WMI using
Use WMI to access remote hosts
- Command executed via WMI:
C:\\Windows\\system32\\cmd.exe /c start C:\\Windows\\system32\\regsvr32.exe /s /i C:\\Windows\\%s.dll
This is used to launch the HermeticWizard binary that has been copied to the remote host.