Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | Protects | T1047 | Windows Management Instrumentation | |
| AC-2 | Account Management | Protects | T1047 | Windows Management Instrumentation | |
| AC-3 | Access Enforcement | Protects | T1047 | Windows Management Instrumentation | |
| AC-5 | Separation of Duties | Protects | T1047 | Windows Management Instrumentation | |
| AC-6 | Least Privilege | Protects | T1047 | Windows Management Instrumentation | |
| CM-5 | Access Restrictions for Change | Protects | T1047 | Windows Management Instrumentation | |
| CM-6 | Configuration Settings | Protects | T1047 | Windows Management Instrumentation | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1047 | Windows Management Instrumentation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1047 | Windows Management Instrumentation | |
| action.hacking.vector.Command shell | Remote shell | related-to | T1047 | Windows Management Instrumentation | |
| action.malware.vector.Direct install | Directly installed or inserted by threat agent (after system access) | related-to | T1047 | Windows Management Instrumentation |