Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2024-10-18 44 Weekly Intelligence Report - 18 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
Details Website 2024-10-18 18 The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer - CYFIRMA
Details Website 2024-10-18 56 Vietnamese Threat Actor’s Multi-Layered Strategy On Digital Marketing Professionals - Cyble
Details Website 2024-10-12 13 PowerShell Stealth Fundamentals
Details Website 2024-10-11 71 Weekly Intelligence Report - 11 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting
Details Website 2024-10-11 5 Volt Typhoon — Chinese State -Sponsored Threat Actors
Details Website 2024-10-10 0 オープンソースSIEMとXDRが進化する脅威にどう取り組むか - PRSOL:CC
Details Website 2024-10-10 1 EDR Perspectives on Capturing Advanced Attack Techniques of Offensive Cyber APT Groups
Details Website 2024-10-10 182 Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware | CTF导航
Details Website 2024-10-09 1 North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and…
Details Website 2024-10-09 1 How open source SIEM and XDR tackle evolving threats
Details Website 2024-10-08 0 Analyzing Latrodectus: The New Face of Malware Loaders
Details Website 2024-10-06 3 APTs: Tactics, Techniques, and Procedures
Details Website 2024-10-04 18 LetsDefend SA Event ID: 71, SOC134 — Suspicious WMI Activity
Details Website 2024-10-04 19 Windows Warns of Storm-0501 Group Deploying Ransomware to Hybrid Cloud Environments
Details Website 2024-10-02 3 Stopping Attacks Early: The Power of Endpoint Telemetry in Cybersecurity
Details Website 2024-10-02 10 Investigating with Splunk 🎭
Details Website 2024-10-02 4 Microsoft Alert: New INC Ransomware Targets US Healthcare
Details Website 2024-10-01 4 Mekotio: cómo trabaja el troyano bancario más efectivo de Latinoamérica - CSIRT de Gobierno
Details Website 2024-09-30 0 Analyzed Fileless Malware and Deobfuscated PowerShell — Here’s How You Can Do It Too
Details Website 2024-09-30 174 Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Details Website 2024-09-26 22 Avaddon Ransomware Analysis (EN)
Details Website 2024-09-26 53 BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell
Details Website 2024-09-24 9 Weekly News Round-up - SOS Intelligence
Details Website 2024-09-23 0 Security Threats: Updates