Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Windows Management Instrumentation

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4] [5]

ID: T1047
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: Windows
System Requirements: WMI service, winmgmt, running; Host/network firewalls allowing SMB and WMI ports from source to destination; SMB authentication.
Permissions Required: Administrator, User
Data Sources: Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Supports Remote:  Yes
Version: 1.1
Created: 31 May 2017
Last Modified: 13 May 2020

Procedure Examples

Name Description
APT29

APT29 used WMI to steal credentials and execute backdoors at a future time.[6]
APT32

APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.[7]
APT41

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[8]
Astaroth

Astaroth uses WMIC to execute payloads. [9]
BlackEnergy

A BlackEnergy 2 plug-in uses WMI to gather victim host details.[10]
Blue Mockingbird

Blue Mockingbird has used wmic.exe to set environment variables.[11]
Chimera

Chimera has used WMIC to execute remote commands.[12]
Cobalt Strike

Cobalt Strike can use WMI to deliver a payload to a remote host.[13]
CrackMapExec

CrackMapExec can execute remote commands using Windows Management Instrumentation.[14]

Deep Panda

The Deep Panda group is known to utilize WMI for lateral movement.[15]
DustySky

The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.[16]
Emotet

Emotet has used WMI to execute powershell.exe.[17]
Empire

Empire can use WMI to deliver a payload to a remote host.[18]

EvilBunny

EvilBunny has used WMI to gather information about the system.[19]
FELIXROOT

FELIXROOT uses WMI to query the Windows Registry.[20]
FIN6

FIN6 has used WMI to automate the remote execution of PowerShell scripts.[21]

FIN8

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[22][23]
FlawedAmmyy

FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.[24]
Frankenstein

Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.[25]
GravityRAT

GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).[26]
HALFBAKED

HALFBAKED can use WMI queries to gather system information.[27]
HOPLIGHT

HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.[28]

IcedID

IcedID has used WMI to execute binaries.[29]
Impacket

Impacket's wmiexec module can be used to execute commands through WMI.[30]
jRAT

jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[31]
Kazuar

Kazuar obtains a list of running processes through WMI querying.[32]
Koadic

Koadic can use WMI to execute commands.[33]
KOMPROGO

KOMPROGO is capable of running WMI queries.[34]
Lazarus Group

Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.[35][36]
Leviathan

Leviathan has used WMI for execution.[37]
Maze

Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.[38][39]

menuPass

menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[40][41]
Micropsia

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[42][43]
Mosquito

Mosquito's installer uses WMI to search for antivirus display names.[44]
MuddyWater

MuddyWater has used malware that leveraged WMI for execution and querying host information.[45][46][47]
Netwalker

Netwalker can use WMI to delete Shadow Volumes.[48]

NotPetya

NotPetya can use wmic to help propagate itself across a network.[49][50]
Octopus

Octopus uses wmic.exe for local discovery information.[51]
OilRig

OilRig has used WMI for execution.[52]
Olympic Destroyer

Olympic Destroyer uses WMI to help propagate itself across a network.[53]
OopsIE

OopsIE uses WMI to perform discovery techniques.[54]
PoshC2

PoshC2 has a number of modules that use WMI to execute tasks.[55]
PowerSploit

PowerSploit's Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.[56][57]
POWERSTATS

POWERSTATS can use WMI queries to retrieve data from compromised hosts.[58][46]
POWRUNER

POWRUNER may use WMI when collecting information about a victim.[59]
RATANKBA

RATANKBA uses WMI to perform process monitoring.[60][61]
Remexi

Remexi executes received commands with wmic.exe (for WMI commands). [62]
REvil

REvil can use WMI to monitor for and kill specific processes listed in its configuration file.[63][64]
RogueRobin

RogueRobin uses various WMI queries to check if the sample is running in a sandbox.[65][66]
Soft Cell

Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[67]
Stealth Falcon

Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).[68]
StoneDrill

StoneDrill has used the WMI command-line (WMIC) utility to run tasks.[69]
Sunburst

Sunburst used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.[70]
Threat Group-3390

A Threat Group-3390 tool can use WMI to execute a binary.[71]
UNC2452

UNC2452 used WMI for the remote execution of files for lateral movement.[72][73]
Ursnif

Ursnif droppers have used WMI classes to execute PowerShell commands.[74]
Valak

Valak can use wmic process call create in a scheduled task to launch plugins and for execution.[75]
WannaCry

WannaCry utilizes wmic to delete shadow copies.[76][77][78]
Wizard Spider

Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.[79][80][81][82]
Zebrocy

One variant of Zebrocy uses WMI queries to gather information.[83]

Mitigations

Mitigation Description
Privileged Account Management

Prevent credential overlap across systems of administrator and privileged accounts. [5]
User Account Management

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. [5]

References

  1. Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
  2. Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.
  5. Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  6. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  7. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  8. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  9. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  10. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  11. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  12. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  13. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  14. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  15. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  16. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  17. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  18. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  19. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  20. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  21. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  22. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  23. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  24. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  25. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  26. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  27. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  28. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  29. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  30. SecureAuth. (n.d.). Retrieved January 15, 2019.
  31. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  32. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  33. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  34. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  35. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  36. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  37. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  38. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  39. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  40. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  41. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  42. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  1. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  2. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  3. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  4. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  5. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  6. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  7. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  8. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  9. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  10. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  11. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  12. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  13. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  14. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  15. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  17. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  18. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  19. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  20. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  21. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  22. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  23. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  24. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  25. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  26. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  27. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  28. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  29. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  30. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  31. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  32. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  33. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  34. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  35. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  36. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
  37. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  38. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  39. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  40. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  41. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.