Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
AC-3 | Access Enforcement | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
AC-5 | Separation of Duties | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
AC-6 | Least Privilege | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
CM-5 | Access Restrictions for Change | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
CM-6 | Configuration Settings | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1546.003 | Windows Management Instrumentation Event Subscription |