T1047 Windows Management Instrumentation Mappings

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1047 Windows Management Instrumentation
AC-2 Account Management Protects T1047 Windows Management Instrumentation
AC-3 Access Enforcement Protects T1047 Windows Management Instrumentation
AC-5 Separation of Duties Protects T1047 Windows Management Instrumentation
AC-6 Least Privilege Protects T1047 Windows Management Instrumentation
CM-2 Baseline Configuration Protects T1047 Windows Management Instrumentation
CM-5 Access Restrictions for Change Protects T1047 Windows Management Instrumentation
CM-6 Configuration Settings Protects T1047 Windows Management Instrumentation
CM-7 Least Functionality Protects T1047 Windows Management Instrumentation
IA-2 Identification and Authentication (organizational Users) Protects T1047 Windows Management Instrumentation
RA-5 Vulnerability Monitoring and Scanning Protects T1047 Windows Management Instrumentation
SC-3 Security Function Isolation Protects T1047 Windows Management Instrumentation
SC-34 Non-modifiable Executable Programs Protects T1047 Windows Management Instrumentation
SI-16 Memory Protection Protects T1047 Windows Management Instrumentation
SI-2 Flaw Remediation Protects T1047 Windows Management Instrumentation
SI-3 Malicious Code Protection Protects T1047 Windows Management Instrumentation
SI-4 System Monitoring Protects T1047 Windows Management Instrumentation
SI-7 Software, Firmware, and Information Integrity Protects T1047 Windows Management Instrumentation