1. Home
  2. ATT&CK Techniques
  3. T1047 Windows Management Instrumentation

T1047 Windows Management Instrumentation Mappings

Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)

An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1047 Windows Management Instrumentation
AC-2 Account Management Protects T1047 Windows Management Instrumentation
AC-3 Access Enforcement Protects T1047 Windows Management Instrumentation
AC-5 Separation of Duties Protects T1047 Windows Management Instrumentation
AC-6 Least Privilege Protects T1047 Windows Management Instrumentation
CM-5 Access Restrictions for Change Protects T1047 Windows Management Instrumentation
CM-6 Configuration Settings Protects T1047 Windows Management Instrumentation
IA-2 Identification and Authentication (organizational Users) Protects T1047 Windows Management Instrumentation
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1047 Windows Management Instrumentation
action.hacking.vector.Command shell Remote shell related-to T1047 Windows Management Instrumentation
action.malware.vector.Direct install Directly installed or inserted by threat agent (after system access) related-to T1047 Windows Management Instrumentation