Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2019-09-05 0 Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment | Mandiant
Details Website 2019-08-19 9 IT threat evolution Q2 2019
Details Website 2019-08-19 122 Uncovering a MyKings Variant Via MDR
Details Website 2019-08-06 9 LokiBot Gains New Persistence Mechanism, Steganography
Details Website 2019-08-06 9 LokiBot Gains New Persistence Mechanism, Steganography
Details Website 2019-08-01 53 From Carnaval to Cinco de Mayo – The journey of Amavaldo | WeLiveSecurity
Details Website 2019-07-29 36 Dridex Threat Analysis: Masquerading and Code Injection Techniques
Details Website 2019-07-08 18 Dismantling a fileless campaign: Microsoft Defender ATP's Antivirus exposes Astaroth attack - Microsoft Security Blog
Details Website 2019-06-04 21 It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign
Details Website 2019-06-03 40 BlackSquid Infects Servers and Drives, 8 Exploits Used
Details Website 2019-05-29 56 A dive into Turla PowerShell usage | WeLiveSecurity
Details Website 2019-05-23 19 Sorpresa! JasperLoader targets Italy with a new bag of tricks
Details Website 2019-05-20 33 Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
Details Website 2019-05-07 2 ATT&CK Series: Execution
Details Website 2019-04-30 281 Buhtrap backdoor and Buran ransomware distributed via major advertising platform | WeLiveSecurity
Details Website 2019-04-24 67 NovaLoader—A Brazilian Banking Malware | Zscaler Blog
Details Website 2019-04-09 2 Detecting Lateral Movement in RSA NetWitness: WMI
Details Website 2019-03-14 20 MSXSL.EXE AND WMIC.EXE — A Way to Proxy Code Execution
Details Website 2019-02-18 8 Distributing Malware, one "Word" at a Time TechBlog
Details Website 2019-02-13 4 New Astaroth Trojan Variant Exploits Anti-Malware Software to Steal Info
Details Website 2019-02-06 0 The Fileless, Non-Malware Menace | Trend Micro News
Details Website 2019-01-25 7 Application approval in SCCM 1810 and beyond is a game changer
Details Website 2019-01-24 127 Cisco AMP tracks new campaign that delivers Ursnif
Details Website 2019-01-03 84 LOLbins and trojans: How the Ramnit Trojan spreads via sLoad in a cyberattack
Details Website 2018-12-18 63 Sofacy Creates New ‘Go’ Variant of Zebrocy Tool