Applied Cybernetics Group
T1047 — Windows Management Instrumentation
- Technique
T1047- Tactics
- Execution
- MISP citations
- 0
- KEV CVEs mapped
- 2
- Community rules
- 51
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1047
MITRE description
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI) An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6) **Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
Detection coverage
SigmaHQ community rules
- Blue Mockingbird (emerging-threats)
- Blue Mockingbird - Registry (emerging-threats)
- Potential Maze Ransomware Activity (emerging-threats)
- UNC2452 PowerShell Pattern (emerging-threats)
- WMI Module Loaded By Uncommon Process (threat-hunting)
- Remote DCOM/WMI Lateral Movement (core)
- MITRE BZAR Indicators for Execution (core)
- Successful Account Login Via WMI (core)
- T1047 Wmiprvse Wbemcomn DLL Hijack (core)
- PSExec and WMI Process Creations Block (core)
- Wmiexec Default Output File (core)
- Wmiprvse Wbemcomn DLL Hijack - File (core)
- Wmiprvse Wbemcomn DLL Hijack (core)
- WMI Event Consumer Created Named Pipe (core)
- WMIC Unquoted Services Path Lookup - PowerShell (core)
- WMImplant Hack Tool (core)
- Suspicious Autorun Registry Modified via WMI (core)
- HTML Help HH.EXE Suspicious Child Process (core)
- Suspicious HH.EXE Execution (core)
- HackTool - CrackMapExec Execution Patterns (core)
- HackTool - CrackMapExec Execution (core)
- HackTool - Potential Impacket Lateral Movement Activity (core)
- Suspicious Microsoft Office Child Process (core)
- RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class (core)
- Script Event Consumer Spawning Process (core)
Showing 25 of 51 community rules —
the full set is tagged attack.t1047 in
SigmaHQ.