Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1047 | Windows Management Instrumentation | |
| AC-2 | Account Management | Protects | T1047 | Windows Management Instrumentation | |
| AC-3 | Access Enforcement | Protects | T1047 | Windows Management Instrumentation | |
| AC-5 | Separation of Duties | Protects | T1047 | Windows Management Instrumentation | |
| AC-6 | Least Privilege | Protects | T1047 | Windows Management Instrumentation | |
| CM-5 | Access Restrictions for Change | Protects | T1047 | Windows Management Instrumentation | |
| CM-6 | Configuration Settings | Protects | T1047 | Windows Management Instrumentation | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1047 | Windows Management Instrumentation | |
| azure_sentinel | Azure Sentinel | technique_scores | T1047 | Windows Management Instrumentation |
Comments
The Azure Sentinel Analytics "Gain Code Execution on ADFS Server via Remote WMI Execution" query can detect use of Windows Managemement Instrumentation on ADFS servers. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect WMI use via Empire, but does not address other procedures.
The coverage for these queries is minimal (specific to ADFS and Empire) resulting in an overall Minimal score.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1047 | Windows Management Instrumentation |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via WMI. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1047 | Windows Management Instrumentation |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-WmiCommand module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|