T1047 Windows Management Instrumentation Mappings

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.

The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.(Citation: Mandiant WMI) For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).(Citation: WMI 6)

Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1047 Windows Management Instrumentation
CM-05 Access Restrictions for Change mitigates T1047 Windows Management Instrumentation
AC-17 Remote Access mitigates T1047 Windows Management Instrumentation
SC-03 Security Function Isolation mitigates T1047 Windows Management Instrumentation
SI-16 Memory Protection mitigates T1047 Windows Management Instrumentation
SI-02 Flaw Remediation mitigates T1047 Windows Management Instrumentation
RA-05 Vulnerability Monitoring and Scanning mitigates T1047 Windows Management Instrumentation
SI-03 Malicious Code Protection mitigates T1047 Windows Management Instrumentation
SI-07 Software, Firmware, and Information Integrity mitigates T1047 Windows Management Instrumentation
CM-02 Baseline Configuration mitigates T1047 Windows Management Instrumentation
IA-02 Identification and Authentication (Organizational Users) mitigates T1047 Windows Management Instrumentation
CM-07 Least Functionality mitigates T1047 Windows Management Instrumentation
SI-04 System Monitoring mitigates T1047 Windows Management Instrumentation
AC-02 Account Management mitigates T1047 Windows Management Instrumentation
AC-03 Access Enforcement mitigates T1047 Windows Management Instrumentation
AC-05 Separation of Duties mitigates T1047 Windows Management Instrumentation
AC-06 Least Privilege mitigates T1047 Windows Management Instrumentation

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1047 Windows Management Instrumentation
action.hacking.vector.Command shell Remote shell related-to T1047 Windows Management Instrumentation
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation