Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2024-09-02 7 RansomHub Detection: The FBI, CISA, and Partners Warn Against a Growing RaaS Variant Targeting Critical Infrastructure Organizations - SOC Prime
Details Website 2024-08-30 13 US CERT Alert AA24-242A (RansomHub Ransomware)
Details Website 2024-08-30 24 Emulating the Extortionist Mallox Ransomware
Details Website 2024-08-30 6 Critical Advisory On RansomHub Ransomware - Cyble
Details Website 2024-08-30 47 OceanLotus (APT32) APT IOCs - SEC-1275-1
Details Website 2024-08-29 269 #StopRansomware: RansomHub Ransomware | CISA
Details Website 2024-08-22 1 Service Account Abuse - ReliaQuest
Details Website 2024-08-20 7 Exploring Impacket Abuse - ReliaQuest
Details Website 2024-08-20 11 RansomHub Ransomware – Everything You Need to Know | Red Piranha
Details Website 2024-08-14 8 Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities - Check Point Research
Details Website 2024-08-12 2 Phobos Unleashed: Navigating the Maze of Ransomware's Ever-Evolving…
Details Website 2024-08-12 3 Art of the Hunt: Building a Threat Hunting Hypothesis List
Details Website 2024-08-08 35 PureHVNC Deployed via Python Multi-stage Loader | FortiGuard Labs
Details Website 2024-07-31 0 SYS01 Infostealer and Rilide Malware Likely Developed by the Same Threat Actor
Details Website 2024-07-30 49 UNC4393 Goes Gently into the SILENTNIGHT | Google Cloud Blog
Details Website 2024-07-25 13 SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea
Details Website 2024-07-22 6 Threat Hunting Case Study: Looking for Volt Typhoon
Details Website 2024-06-28 41 Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer
Details Website 2024-06-20 11 win常见应急排查
Details Website 2024-05-23 44 How ransomware abuses BitLocker
Details Website 2024-05-21 43 Uncovering an undetected KeyPlug implant attacking industries in Italy   - Yoroi
Details Website 2024-05-16 73 Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID — Elastic Security Labs
Details Website 2024-05-15 45 To the Moon and back(doors): Lunar landing in diplomatic missions
Details Website 2024-05-10 256 #StopRansomware: Black Basta | CISA
Details Website 2024-05-10 76 페이스북과 MS관리콘솔을 활용한 Kimsuky APT 공격 발견