Common Information
| Type | Value |
|---|---|
| Value |
Windows Management Instrumentation - T1047 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-07-26 | 38 | Malicious IIS extensions quietly open persistent backdoors into servers - Microsoft Security Blog | ||
| Details | Website | 2022-07-26 | 60 | Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers | Mandiant | ||
| Details | Website | 2022-07-26 | 6 | Threat hunting for PsExec and other lateral movement tools | ||
| Details | Website | 2022-07-25 | 13 | LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities | ||
| Details | Website | 2022-07-25 | 20 | LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities | ||
| Details | Website | 2022-07-21 | 43 | LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques | ||
| Details | Website | 2022-07-20 | 16 | Analyzing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data | ||
| Details | Website | 2022-07-07 | 39 | THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom | ||
| Details | Website | 2022-07-06 | 20 | Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server | ||
| Details | Website | 2022-07-06 | 20 | Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server | ||
| Details | Website | 2022-06-27 | 28 | Threat Spotlight: Eternity Project MaaS Goes On and On | ||
| Details | Website | 2022-06-21 | 26 | Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2) — Elastic Security Labs | ||
| Details | Website | 2022-06-15 | 19 | Telerik UI exploitation leads to cryptominer, Cobalt Strike infections | ||
| Details | Website | 2022-06-10 | 25 | China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware | ||
| Details | Website | 2022-06-10 | 76 | Threat Attribution — Chimera “Under the Radar” | ||
| Details | Website | 2022-06-07 | 55 | A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak | ||
| Details | Website | 2022-06-07 | 15 | Detecting COR_PROFILER manipulation for persistence - Red Canary | ||
| Details | Website | 2022-06-07 | 3 | Lateral Movement Using WinRM and WMI | ||
| Details | Website | 2022-06-07 | 12 | Threat Detection #9643: Cryptomining Enabled by Native Windows Tools | ||
| Details | Website | 2022-06-06 | 76 | SVCReady: A New Loader Gets Ready | HP Wolf Security | ||
| Details | Website | 2022-06-06 | 26 | Shining the Light on Black Basta | ||
| Details | Website | 2022-06-02 | 99 | To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant | ||
| Details | Website | 2022-06-02 | 60 | VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis | ||
| Details | Website | 2022-06-02 | 54 | Understanding the RuRansom Malware – A Retaliatory Wiper | ||
| Details | Website | 2022-06-02 | 63 | LockBit 3.0 Ransomware Unlocked |