{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-management-instrumentation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HPWBEM","SCCM","Windows Management Instrumentation",".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Nessus"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to initiate a connection to a remote host on port 135.\u003c/li\u003e\n\u003cli\u003eThe svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.\u003c/li\u003e\n\u003cli\u003eWmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker\u0026rsquo;s WMI command.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes the attacker\u0026rsquo;s payload or command on the remote host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eIsolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.\u003c/li\u003e\n\u003cli\u003eMonitor network connections with destination port 135 for unusual activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-wmi-lateral-movement/","summary":"Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.","title":"WMI Incoming Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Management Instrumentation","version":"https://jsonfeed.org/version/1.1"}