# T1047 Windows Management Instrumentation

-----------------------------------------------------------------------

## Technique Description

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

## Technique Detection

Monitor network traffic for WMI connections; the use of WMI in environments that do not typically use WMI may be suspect. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior. (Citation: FireEye WMI 2015)

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Windows

### Data Sources:

  * **Process:** Process Creation

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has executed PowerShell scripts via WMI.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used WMIC to execute commands on remote computers.(Citation: Symantec WastedLocker June 2020) | 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used WMI to execute commands.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)| 
| Windshift | [Windshift](https://attack.mitre.org/groups/G0112) has used WMI to collect information about target machines.(Citation: BlackBerry Bahamut)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used wmic.exe to set environment variables.(Citation: RedCanary Mockingbird May 2020)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery and to move laterally.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has used WMI queries to check if various security applications were running, as well as the operating system version.(Citation: Talos Frankenstein June 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via [PowerSploit](https://attack.mitre.org/software/S0194).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.(Citation: Cybereason Soft Cell June 2019)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used WMI for execution.(Citation: Proofpoint Leviathan Oct 2017)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that leveraged WMI for execution and querying host information.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Talos MuddyWater May 2019)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061)'s malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. [FIN8](https://attack.mitre.org/groups/G0061) has also used WMIC for lateral movement as well as during and post compromise cleanup activities.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used WMI to deploy their tools on remote machines and to gather information about the Outlook process.(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used WMI for execution.(Citation: FireEye APT34 Webinar Dec 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used WMI to execute scripts used for discovery.(Citation: CERT-EE Gamaredon January 2021)| 
| FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Github AD-Pentest-Script)(Citation: Symantec Cicada November 2020)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers system information via Windows Management Instrumentation (WMI).(Citation: Citizen Lab Stealth Falcon May 2016)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has used WMI to automate the remote execution of PowerShell scripts.(Citation: Security Intelligence More Eggs Aug 2019)	| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used VBScript to run WMI queries.(Citation: Dragos Crashoverride 2018) | 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: ClearSky Lazarus Aug 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: Qualys LolZarus)| 
| Threat Group-3390 | A [Threat Group-3390](https://attack.mitre.org/groups/G0027) tool can use WMI to execute a binary.(Citation: Nccgroup Emissary Panda May 2018)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used WMIC.exe for lateral movement.(Citation: Bitdefender Naikon April 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used WMI to steal credentials and execute backdoors at a future time.(Citation: Mandiant No Easy Breach) They have also used WMI for the remote execution of files for lateral movement.(Citation: Microsoft 365 Defender Solorigate)(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Deep Panda | The [Deep Panda](https://attack.mitre.org/groups/G0009) group is known to utilize WMI for lateral movement.(Citation: Alperovitch 2014)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1047)

  * [Fireeye Wmi 2015](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf), Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.

  * [Fireeye Wmi Sans 2015](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf), Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020.

  * [Msdn Wmi](https://msdn.microsoft.com/en-us/library/aa394582.aspx), Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 14 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as backdoor execution, gathering information for Discovery, and remote Execution of files as part of Lateral Movement.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Adversary | x | x |

#### APT29 
- used WMI to steal credentials and execute backdoors at a future time.

## Detection Blindspots

- Sensor placement may play a role in not being able to identify this TTP
- Network flow logs and on-the-wire WMI traffic is commonly encrypted, so it will blend into standard DCOM/PSRemoting traffic and could generate high volumes of false negatives. This is yet another reason—along with minimal logging and defender knowledge of WMI—why attackers love WMI.
- Security analysts and other network defenders occasionally struggle with WMI process ancestry. For example, malicious activity traced back to the WMI Provider Host, WMIPrvSE.exe, leads to a dead end in the process tree. On a local host, this may mean a WMI Event Consumer was used for persistence.


## Analytical References

  * [No Easy Breach](https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016)
  * [Using Mircosoft 365 Defender to Protect Against solorigate](https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/)
  * [Deep Dive Into solorigate](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
  * [SUNBURST Backdoor](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)
  * [Redcanary Threat Detection Report](https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/)
  * [WMIC](https://ss64.com/nt/wmic.html)
  * [Microsoft - WMIC Documentation](https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic)
  * [What is WMI Provider Host wmiprvse.exe](https://www.howtogeek.com/332838/what-is-the-wmi-provider-host-wmiprvse.exe-and-why-is-it-using-so-much-cpu/)
  * [WMI Backdoors](https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/)
  * [Splunk - WMI](https://conf.splunk.com/files/2019/slides/SEC1550.pdf)
  * [Zeek Bzar](https://github.com/mitre-attack/bzar)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- WMI can commonly be leveraged by adversaries with PowerShell (T1086), WMI Event Subscription (T1084), and XSL Script Processing (T1220).
- Monitoring WMIPrvSE.exe for abnormal child processes, such as PowerShell or cmd.exe, is a reliable way to detect malice.
- Looking for unusual parent-child relationships and with unique command-line parameters is another solid indicator of malice. It should be rare for something like the IIS worker process (w3wp.exe) to spawn wmic.exe.
- It is also rare for browsers (IE, Edge, Chrome, Firefox, etc.) to spawn wmic.exe
- WMI can be stealthily used in almost every phase of an attack. When adversaries leverage it to enumerate local user accounts and profile devices, security teams can detect it by looking for things such as wmic.exe profiling user accounts, domain information, or even PowerShell querying the operating system or executing new processes, either locally or remotely. Cmdlets such as Get-WMIObject are often used for reconnaissance.

#### Analytic 1

  * **Information:** Suspicious process spawning from WMIC

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** “it’s almost always malicious when wmic.exe spawns” these processes. Examine chain of execution and follow-on activity when this occurs.

  * **Query:** ```ParentProcess : wmic.exe AND process : (Microsoft Word, PowerPoint, MSPublisher, Visio, Access, Outlook, Onenote, WordPad, or Excel)```

#### Analytic 2

  * **Information:** “Win32_Process create” is rarely used for legitimate reasons and should be regarded with suspicion.

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
  
  * **Query:** ```Event_ID : 1 AND process : wmic.exe AND commandLine: *Win32_Process create*```

#### Analytic 3

  * **Information:** Can be indicative of ransomware

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
  
  * **Query:** ```Event_ID : 1 AND process : wmic.exe AND commandLine: *shadowcopy delete*```

#### Analytic 4

  * **Information:** Event_ID 24 is a new SYSMON addition (v12) that logs data copied to the clipboard

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
  
  * **Query:** ```Event_ID: 24 AND process : wmic.exe```

#### Analytic 5

  * **Information:** EventID 5861 logs generate a permanent record of WMI event subscriptions. 

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** (More information could be found in T1546.003)
  
  * **Query:** ```Event_ID: 5861```

#### Analytic 6

  * **Information:** While this marks high on the FP rate, there is still value in identifying instances of WMIC being run, particularly if the target network is not expecting it. 

  * **Source:**  Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** See hunter notes for additional analysis.
  
  * **Query:** ```Event_ID : 1 AND process : wmic.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Host logs will be the best source for identifying this TTP while the network activity will provide supporting evidence to confirm what a specific host may be doing.
- Zeek provides access to dce_rpc.log and conn.log files in order to do more in depth analysis (recommend utilizing this tool if available)

#### Analytic 1

  * **Information:** 

  * **Source:** PCAP

  * **Tool:** Arkime, Zeek

  * **Notes:** Use the Zeek Bzar link to guide in what commands should be focused on.

  * **Query Arkime:** 
    - `protocols == dcerpc && dcerpc.cmd == [modify as needed]`
  * **Query Zeek:** 
    - Analyze dce_rpc.log
        * ts - date time stamp
        * endpoint - endpoint name looked up from UUID
        * operation - operation seen in call
    - Analyze conn.log
        * UUID - unique identifier of connection
        * service - application protocol ID sent over connection
        * resp_btyes - number of payload bytes responder sent
        * history - connection stat history