Root Causes 210: Living off the Land

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

March 8, 2022

Microsoft has deprecated support for the popular sysadmin tool WMIC. Join our hosts as they explain the security reasons behind this development and broader lessons we can learn.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanThe name of this podcast is Living off the Land and in a second, I will ask you to explain that phrase and why we are using that here and what we mean by that. But a little bit of background for the listeners is, we are looking at an article from Microsoft – a Microsoft knowledge-based article from January 27 of this year and the title of it is “Windows 10 Features We are No Longer Developing”. And in particular, the one that caught our mind, our eye, was Windows Management Instrumentation Command Line or the WMIC tool. So, Jay, the WMIC tool is being discontinued by Microsoft and what does that have to do with the idea of living off the land?

Jason SorokoFor sure, Tim. This is one tool of many that people who are systems administrators in the Windows world will use to be able to gather data, understand their system and generally just be able to do your job as a system administrator and I remember using that tool for a very long time to gather very important pieces of data about systems and that’s just one tool out of many, although it was an important one for a very long time. Those of you who work in those systems right now probably are very, very familiar with PowerShell and all the different things that it does but I think you have to ask yourself why is Microsoft doing this and why is it calling into question a very, very important best practice by Microsoft to the industry and to anybody who does system administration and anybody who is a cybersecurity defender within an enterprise.

What living off the land means, Tim, is the bad guys can get into enterprise networks in a few different ways – as we’ve talked about in this podcast. Not the least of which is the stealing of credentials through social engineering, perhaps even a zero day into some sort of an appliance that’s inside your network. There’s so many different ways to get in and then once they are in, a lot of people have this notion that quite often the bad guys are then dropping the whole pile of fancy malware into their environment so that they’ve got a gigantic toolset at their disposal and I think one thing that’s not talked about enough just because it’s not terribly sexy with respect to technical journalism, everybody wants the clickbait titles, but this title, Living off the Land, to me, is probably one that most people don’t think about enough which is what tools are inherent within the operating systems of the systems that you are running and WMIC being one of them and then, of course, what other tools do you have lying around in your file system simply because you are trying to get a job done and yet the bad guys can use those tools as well.

Now, what are we talking about here? We are talking about tools that enable lateral movement. We are talking about tools that enable authentication itself. In other words, I remember with the sys internals tools for Microsoft there were tools within that. PS Exec being one of them where you could give it a hash value and authenticate into systems within the network. These are famous, famous living off the land tools that bad guys look for. If you are just leaving them around on the file systems, bad guys will use them, and they do absolutely look for them. It wasn’t one where you inherently left it by mistake. It was inherent within the system. What Microsoft is saying is, we are trying to make living off the land harder for the bad guy, Tim.

Tim CallanI get where they are coming from with that and that sounds like that makes good sense. In this case in particular, I think the idea is that PowerShell is available. You should be able to do everything that you kind of depended on WMIC for and instead, use PowerShell. So, the good guys, the SIs ought to be able to continue using their – or the sysadmins I guess I should say – ought to be able to continue doing their jobs in a reasonable way but we can block off something that might be a risk factor.

Jason SorokoI think that’s the exact idea, Tim. It’s not surprising that Microsoft would want to stream everybody towards PowerShell for those exact same kinds of functions. It makes a lot of sense. I think it makes things more auditable, it makes things more controllable and presumably even the kinds of authentication controls that you can put onto that are better. Therefore, being able to inflict the principles of least privileges within your internal tools that you use on a daily basis that the bad guys might find handy, that streaming towards PowerShell presumably is helping you to do that. That’s what this podcast is about, is to raise awareness. I think so many people get so – I don’t want to say in love with their tools. That’s insulting to anybody who does that job. I think the right way to say it is you get so good at your job with the tools you’ve had for so long that you might not realize that you might see a deprecation of an important tool by Microsoft and you say, ah, what’s that darn Microsoft doing. I think they’ve got your best interests in mind here and it is a good idea to remove those legacy tools that are just too darn handy for the bad guy.

Tim CallanWell, there you go. I think that’s a good security tip, Jay, and certainly prompted by a recent news item and it all makes sense to me.

Jason SorokoThanks, Tim. It was a quicky. This is a heads up to anybody who is working in the trenches out there.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!