Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker uses WMI to initiate a connection to a remote host on port 135.
3. The svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.
4. WmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker’s WMI command.
5. The spawned process executes the attacker’s payload or command on the remote host.
6. The attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.

Impact

Successful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.

Recommendation

• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.
• Review and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.
• Isolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.
• Monitor network connections with destination port 135 for unusual activity.