Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2021-08-16 12 Remote Desktop Protocol (RDP) Attack Analysis | Darktrace Blog
Details Website 2021-08-12 36 Vice Society leverages PrintNightmare in ransomware attacks
Details Website 2021-08-11 21 ReverseRat Reemerges with a (Night)Fury New Campaign and New Developments, Same Familiar Side-Actor - Lumen
Details Website 2021-08-07 6 Advance persistent threat - Lateral movement detection in Windows infrastructure - Part II | Infosec Resources
Details Website 2021-07-28 10 Phases of a Post-Intrusion Ransomware Attack
Details Website 2021-07-21 62 Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm
Details Website 2021-07-19 75 Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA
Details Website 2021-07-13 7 Candiru's Spyware: How It Works And Attacking Journalists, Activists And Many More
Details Website 2021-07-10 106 Common Tools & Techniques Used By Threat Actors and Malware — Part I
Details Website 2021-07-07 4 New Ryuk Ransomware Sample Targets Webservers | McAfee Blog
Details Website 2021-07-05 79 Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
Details Website 2021-06-17 52 Black Kingdom ransomware
Details Website 2021-06-15 53 Handy guide to a new Fivehands ransomware variant
Details Website 2021-06-15 86 Ransomware Double Extortion and Beyond: REvil, Clop, and Conti - Security News
Details Website 2021-06-10 26 Quarterly Report: Incident Response trends from Spring 2021
Details Website 2021-05-29 114 Attacking Active Directory: 0 to 0.9 | zer1t0
Details Website 2021-05-23 75 MountLocker Ransomware
Details Website 2021-05-17 6 Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions
Details Website 2021-05-14 58 DarkSide Ransomware Victims Sold Short | McAfee Blog
Details Website 2021-05-10 47 IcedID Banking Trojan Malware Threat Intel Advisory | Threat Intelligence | CloudSEK
Details Website 2021-05-07 101 Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
Details Website 2021-05-06 59 Proxylogon A Coinminer a Ransomware and a Botnet Join the Party
Details Website 2021-04-29 101 UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat | Mandiant
Details Website 2021-04-29 4 Locked, Loaded, and in the Wrong Hands: Legitimate Tools Weaponized for Ransomware in 2021 - Security News
Details Website 2021-04-27 236 Lazarus Group Recruitment: Threat Hunters vs Head Hunters