T1047: Windows Management Instrumentation
| View on MITRE ATT&CK | T1047 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.How to detect this technique
MITRE ATT&CK Data Components
WMI Creation (WMI)
Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
WMI Reconnaissance Processes
WMI Reconnaissance Users
Create a Process using WMI Query and an Encoded Command
WMI Reconnaissance List Remote Services
WMI Execute rundll32
WMI Execute Local Process
WMI Reconnaissance Software
Application uninstall using WMIC
Create a Process using obfuscated Win32_Process
WMI Execute Remote Process
Sigma Detections for this Technique
WMI Event Consumer Created Named Pipe
Application Terminated Via Wmic.EXE
Process Reconnaissance Via Wmic.EXE
Suspicious HH.EXE Execution
HackTool - CrackMapExec Execution Patterns
Suspicious Process Created Via Wmic.EXE
Suspicious Microsoft Office Child Process
Potential SquiblyTwo Technique Execution
Potential Product Class Reconnaissance Via Wmic.EXE
WMImplant Hack Tool
WmiPrvSE Spawned A Process
New Process Created Via Wmic.EXE
WMIC Remote Command Execution
Wmiprvse Wbemcomn DLL Hijack
Application Removed Via Wmic.EXE
Blue Mockingbird - Registry
MITRE BZAR Indicators for Execution
T1047 Wmiprvse Wbemcomn DLL Hijack
Suspicious WmiPrvSE Child Process
Service Started/Stopped Via Wmic.EXE
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Wmiprvse Wbemcomn DLL Hijack - File
Computer System Reconnaissance Via Wmic.EXE
Script Event Consumer Spawning Process
Successful Account Login Via WMI
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Service Reconnaissance Via Wmic.EXE
HackTool - Potential Impacket Lateral Movement Activity
WMIC Unquoted Services Path Lookup - PowerShell
HackTool - CrackMapExec Execution
System Disk And Volume Reconnaissance Via Wmic.EXE
Potential Product Reconnaissance Via Wmic.EXE
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Hardware Model Reconnaissance Via Wmic.EXE
Wmiexec Default Output File
HTML Help HH.EXE Suspicious Child Process
Suspicious Encoded Scripts in a WMI Consumer
PSExec and WMI Process Creations Block
Remote DCOM/WMI Lateral Movement
Suspicious WMIC Execution Via Office Process
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.