Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.(Citation: Mandiant WMI) For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).(Citation: WMI 6)
Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1047 | Windows Management Instrumentation |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Windows Management Instrumentation (WMI) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
WMI attacks leverage the Windows Management Instrumentation service to gather information about a system, execute commands, or establish persistence. Adversaries can use WMI to execute malicious scripts or commands remotely, collect system information, and even automate tasks on a compromised machine. These attacks are often stealthy, as WMI operations can be run in the background without triggering obvious alerts. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to detect suspicious WMI activity, such as unauthorized process creation or command execution.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, providing faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as the use of WMI for unauthorized system interaction or automation of malicious tasks, ensuring a proactive defense against these stealthy techniques.
References
|