Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2020-04-03 44 Zoomed In: A Look into a Coinminer Bundled with Zoom Installer
Details Website 2020-04-03 44 Zoomed In: A Look into a Coinminer Bundled with Zoom Installer
Details Website 2020-04-02 189 Nemty Ransomware - Learning by Doing | McAfee Blog
Details Website 2020-03-23 18 Latest Astaroth attacks are even more invisible but not less observable
Details Website 2020-03-05 125 Guildma: The Devil drives electric | WeLiveSecurity
Details Website 2020-02-07 37 Emotet Technical Analysis - Part 2 PowerShell Unveiled
Details Website 2020-02-05 44 Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting - SentinelLabs
Details Website 2020-01-31 12 DLL Side-loading & Hijacking | DLL Abuse Techniques Overview
Details Website 2020-01-29 54 Emotet Technical Analysis - Part 1 Reveal the Evil Code
Details Website 2020-01-01 47 Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders | Huntress
Details Website 2019-12-29 50 BRONZE PRESIDENT Targets NGOs
Details Website 2019-12-20 18 A Shortcut to Compromise: Cobalt Gang phishing campaign
Details Website 2019-12-17 41 Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia
Details Website 2019-12-12 13 Monero Miner Obfuscated via Process Hollowing
Details Website 2019-12-05 80 xHunt Campaign: xHunt Actor’s Cheat Sheet
Details Website 2019-11-05 6 Buran Ransomware; the Evolution of VegaLocker | McAfee Blog
Details Website 2019-10-17 37 Operation Ghost: The Dukes aren’t back – they never left | WeLiveSecurity
Details Website 2019-10-07 134 China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations
Details Website 2019-10-01 82 Head Fake: Tackling Disruptive Ransomware Attacks | Mandiant
Details Website 2019-09-26 95 Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host
Details Website 2019-09-20 0 Magecart Attacks and Is Your Smart TV Spying on You?
Details Website 2019-09-19 15 GhostMiner Weaponizes WMI, Kills Other Mining Payloads
Details Website 2019-09-18 0 Secrets of latest Smominru botnet variant revealed in new attack
Details Website 2019-09-17 1 Fileless Malware 101: Understanding Non-Malware Attacks
Details Website 2019-09-09 1 Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study | McAfee Blog