Show in Graph
Common Information
Type Value
Value 
Windows Management Instrumentation - T1047
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015) Detection: Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015) Platforms: Windows Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring Permissions Required: User, Administrator System Requirements: WMI service, winmgmt, running. Host/network firewalls allowing SMB and WMI ports from source to destination. SMB authentication. Remote Support: Yes
Details Published Attributes CTI Title
Details Website 2024-04-09 7 Raspberry Robin Now Spreading Through Windows Script Files | HP Wolf Security
Details Website 2024-03-20 37 The Updated APT Playbook: Tales from the Kimsuky threat actor group | Rapid7 Blog
Details Website 2024-03-18 96 Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Details Website 2024-03-18 96 Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
Details Website 2024-03-15 45 Malware analysis report: Smoke Loader
Details Website 2024-03-12 24 Tweaks Stealer Targets Roblox Users Through YouTube and Discord
Details Website 2024-02-13 0 The Next Evolution of Recorded Future AI: Powering the Future of Threat Intelligence | Recorded Future
Details Website 2024-02-13 38 CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Details Website 2024-02-13 39 CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Details Website 2024-01-29 115 Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
Details Website 2024-01-23 18 Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver 
Details Website 2024-01-23 19 Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver 
Details Website 2024-01-01 47 Hardening of HardBit
Details Website 2024-01-01 28 I am Goot (Loader)
Details Website 2024-01-01 81 CUCKOO SPEAR Part 2: Threat Actor Arsenal
Details Website 2024-01-01 25 THREAT ANALYSIS: Beast Ransomware
Details Website 2023-12-13 1 What is an advanced persistent threat (APT)?
Details Website 2023-12-06 198 Russia/Ukraine Update - December 2023
Details Website 2023-11-28 81 Aki-RATs - Command and Control Party
Details Website 2023-11-23 18 ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil
Details Website 2023-11-20 0 Navigating the Evolving Landscape of File-Based Cyber Threats - InQuest
Details Website 2023-11-20 1 Gamaredon's LittleDrifter USB malware spreads beyond Ukraine
Details Website 2023-11-19 117 LitterDrifter: a new USB worm used by the Gamaredon group
Details Website 2023-11-17 78 Malware Spotlight - Into the Trash: Analyzing LitterDrifter - Check Point Research
Details Website 2023-11-13 78 Don’t throw a hissy fit; defend against Medusa