T1047: Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.

The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management. Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads. For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).

Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface. In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

microsoft_mecm: PT-CR-1854: MECM_Discovery_Via_WMI: Attackers can use queries to WMI classes to retrieve sensitive MECM-related data mitre_attck_execution: PT-CR-207: Suspicious_Wmic_Command: An attempt to use "wmic" for suspicious activity is detected mitre_attck_execution: PT-CR-2223: Execute_Via_Wmiprvse: A process was started using Windows Management Instrumentation (WMI). Attackers use WMI to execute malicious commands and obtain useful data. mitre_attck_initial_access: PT-CR-2447: WMI_Execution_Via_VBA_Macro: A process was created using a Windows Management Instrumentation command from a Microsoft Office document macro mitre_attck_lateral_movement: PT-CR-216: Remoting_WMI: Detecting using WMI for remote code execution mitre_attck_lateral_movement: PT-CR-1374: Impacket_Like_Execution: Script execution patterns based on the Impacket tool are detected hacking_tools: PT-CR-2450: WMEye_Execution: Possible use of the WMEye utility for remote execution of arbitrary code and lateral movement. The WMEye utility creates a WMI event filter to write a payload to a file and execute the payload using the MSBuild.exe process. hacking_tools: PT-CR-365: Koadic_WMIC_Stager: Possible use of the Koadic software via a WMI script is detected hacking_tools: PT-CR-2449: WMEye_Event_Filter_Creation: A WMI event filter is created, and the MSBuild.exe process is started be used to execute a payload written to a file using the created event filter. This may indicate the use of the WMEye utility, which allows lateral movement to other infrastructure hosts and remote execution of arbitrary code.

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html

Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.

After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:"" process call create "", which is detected in the third Detection Pseudocode.

This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.

After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.

When the command line is executed, it has the parent process of C:\windows\system32\wbem\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.

Certain strings can be identifiers of the WMI by looking up the interface UUID for IRemUnknown2 in different formats

  • UUID 00000143-0000-0000-c000-000000000046 (decoded)
  • Hex 43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 (raw)
  • ASCII CF (printable text only)

This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is

  • UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (decoded)
  • Hex 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 (raw)
  • ASCII `]+H`` (printable text only)

Thus, a great ASCII based signature is

  • CF]+HCFCFhost"

Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.

Analytic 1 - Remote WMI over RPC

source="*Zeek:RPC" dest_port="135" protocol_rpc_interface="IRemUnknown2"

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly constructed processes and/or command-lines of "wmic”. If the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"<hostname>" process call create "<command line>". It is possible to also connect via IP address, in which case the string "<hostname>" would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.

Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created).

Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes. Looks for instances of wmic.exe as well as the substrings in the command line:

  • process call create
  • /node:

Analytic 1 : Create Remote Process via WMIC

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") AND Image="wmic.exe" AND CommandLine=" process call create *"

IDDS0005Data source and componentWMI: WMI CreationDescription

Monitor for newly constructed WMI objects that will execute malicious commands and payloads.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that are used to perform remote behavior

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Prevent credential overlap across systems of administrator and privileged accounts.

IDM1018NameUser Account ManagementDescription

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

IDM1040NameBehavior Prevention on EndpointDescription

On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution.

IDM1038NameExecution PreventionDescription

Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.