T1047: Windows Management Instrumentation
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management. Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads. For example, wmic.exe
can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete
(i.e., Inhibit System Recovery).
Note: wmic.exe
is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface. In addition to PowerShell and tools like wbemtool.exe
, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
microsoft_mecm: PT-CR-1854: MECM_Discovery_Via_WMI: Attackers can use queries to WMI classes to retrieve sensitive MECM-related data mitre_attck_execution: PT-CR-207: Suspicious_Wmic_Command: An attempt to use "wmic" for suspicious activity is detected mitre_attck_execution: PT-CR-2223: Execute_Via_Wmiprvse: A process was started using Windows Management Instrumentation (WMI). Attackers use WMI to execute malicious commands and obtain useful data. mitre_attck_initial_access: PT-CR-2447: WMI_Execution_Via_VBA_Macro: A process was created using a Windows Management Instrumentation command from a Microsoft Office document macro mitre_attck_lateral_movement: PT-CR-216: Remoting_WMI: Detecting using WMI for remote code execution mitre_attck_lateral_movement: PT-CR-1374: Impacket_Like_Execution: Script execution patterns based on the Impacket tool are detected hacking_tools: PT-CR-2450: WMEye_Execution: Possible use of the WMEye utility for remote execution of arbitrary code and lateral movement. The WMEye utility creates a WMI event filter to write a payload to a file and execute the payload using the MSBuild.exe process. hacking_tools: PT-CR-365: Koadic_WMIC_Stager: Possible use of the Koadic software via a WMI script is detected hacking_tools: PT-CR-2449: WMEye_Event_Filter_Creation: A WMI event filter is created, and the MSBuild.exe process is started be used to execute a payload written to a file using the created event filter. This may indicate the use of the WMEye utility, which allows lateral movement to other infrastructure hosts and remote execution of arbitrary code.
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. After the WMI connection has been initialized, a process can be remotely launched using the command: This leaves artifacts at both a network (RPC) and process (command line) level. When After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified. When the command line is executed, it has the parent process of Certain strings can be identifiers of the WMI by looking up the interface UUID for
This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is
Thus, a great ASCII based signature is
Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. Analytic 1 - Remote WMI over RPC
|
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines of "wmic”. If the command line utility Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes. Looks for instances of wmic.exe as well as the substrings in the command line:
Analytic 1 : Create Remote Process via WMIC
|
---|
ID | DS0005 | Data source and component | WMI: WMI Creation | Description | Monitor for newly constructed WMI objects that will execute malicious commands and payloads. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that are used to perform remote behavior |
---|
Mitigation
ID | M1026 | Name | Privileged Account Management | Description | Prevent credential overlap across systems of administrator and privileged accounts. |
---|
ID | M1018 | Name | User Account Management | Description | By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. |
---|
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. |
---|
ID | M1038 | Name | Execution Prevention | Description | Use application control configured to block execution of |
---|