Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2022-06-01 5 Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1) — Elastic Security Labs
Details Website 2022-05-27 50 Emotet Analysis: New LNKs in the Infection Chain | Kroll
Details Website 2022-05-26 44 Janicab Series: Further Steps in the Infection Chain
Details Website 2022-05-21 31 Analysis on recent wiper attacks: examples and how wiper malware works
Details Website 2022-05-08 57 Ursnif Malware Banks on News Events for Phishing Attacks | Qualys Security Blog
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-05-02 39 UNC3524: Eye Spy on Your Email | Mandiant
Details Website 2022-04-28 128 Tracking APT29 Phishing Campaigns | Atlassian Trello
Details Website 2022-04-28 32 MAR-10376640-1.v1 – IsaacWiper and HermeticWizard | CISA
Details Website 2022-04-28 30 MAR-10376640-1.v1 – IsaacWiper and HermeticWizard | CISA
Details Website 2022-04-27 202 A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity | WeLiveSecurity
Details Website 2022-04-27 28 2021 Top Routinely Exploited Vulnerabilities | CISA
Details Website 2022-04-25 104 Quantum Ransomware
Details Website 2022-04-04 113 Stolen Images Campaign Ends in Conti Ransomware
Details Website 2022-03-23 0 Autonomous Response stops a runaway Trickbot intrusion - Darktrace Blog
Details Website 2022-03-21 33 Arid Gopher: Newest Micropsia Malware Variant | Deep Instinct
Details Website 2022-03-18 30 Ransomware Spotlight: Hive - Security News
Details Website 2022-03-16 23 DirtyMoe: Worming Modules - Avast Threat Labs
Details Website 2022-03-08 16 The real tools of cybercriminals
Details Website 2022-03-01 65 IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity
Details Website 2022-02-24 82 Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity | Mandiant
Details Website 2022-02-24 123 Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA
Details Website 2022-02-08 36 LolZarus: Lazarus Group Incorporating Lolbins into Campaigns | Qualys Security Blog
Details Website 2022-02-01 39 White Rabbit Continued: Sardonic and F5 | Lodestone Security
Details Website 2022-01-26 54 ALPHV ransomware gang analysis