Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2022-01-22 1 Talos Incident Response year-in-review for 2021
Details Website 2022-01-10 27 Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Details Website 2022-01-10 43 COVID Omicron Variant Lure Used to Distribute RedLine Stealer | FortiGuard Labs 
Details Website 2022-01-01 30 Threat Report
Details Website 2022-01-01 29 Threat Report
Details Website 2022-01-01 62 iocs/Phobos_IOCs.text at master · pan-unit42/iocs
Details Website 2021-12-09 19 A closer look at Qakbot’s latest building blocks (and how to knock them down) - Microsoft Security Blog
Details Website 2021-12-07 131 FIN13: Un actor de amenaza cibercriminal, enfocado en México | Mandiant
Details Website 2021-12-07 130 FIN13: A Cybercriminal Threat Actor Focused on Mexico | Mandiant
Details Website 2021-12-02 95 SideCopy APT: Connecting lures to victims, payloads to infrastructure
Details Website 2021-11-29 160 CONTInuing the Bazar Ransomware Story
Details Website 2021-11-18 68 New ransomware actor uses password-protected archives to bypass encryption protection
Details Website 2021-11-18 50 Conti Ransomware | Qualys Security Blog
Details Website 2021-11-02 63 BlackMatter Ransomware: In-Depth Analysis & Recommendations | Varonis
Details Website 2021-11-01 38 Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2 - CYB3RSN0RLAX
Details Website 2021-10-26 62 Almost 100 Organizations in Brazil Targeted with Banking Trojan
Details Website 2021-10-26 14 China cyber attacks: the current threat landscape
Details Website 2021-09-22 31 Threat Analysis Report: PrintNightmare and Magniber Ransomware
Details Website 2021-09-16 39 APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus | CISA
Details Website 2021-09-10 0 Windows Management Instrumentation - Win32 apps
Details Website 2021-09-07 3 The early signs of ransomware: A blitz game - Darktrace Blog
Details Website 2021-09-06 4 How to Exploit SQL Server Using OLE Automation | Imperva
Details Website 2021-09-03 6 Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
Details Website 2021-08-30 22 Fileless Malware
Details Website 2021-08-16 191 Trickbot Leads Up to Fake 1Password Installation