Listen to this Post
Windows Management Instrumentation (WMI) remains a widely abused technique by threat actors for remote execution, lateral movement, and persistence. Understanding its exploitation methods and detection strategies is crucial for defenders.
Key Attack Vectors via WMI
- Remote Command Execution: Attackers use `wmic.exe` or WMI classes like `Win32_Process` to execute malicious payloads.
- Lateral Movement: WMI enables moving across systems via remote process creation.
- Persistence: Malicious WMI event subscriptions (
__EventFilter,__EventConsumer,__FilterToConsumerBinding) allow long-term access.
Critical Artifacts for Detection
- Processes: Monitor `WMIC.exe` and `WmiPrvSE.exe` spawning suspicious child processes (e.g.,
powershell.exe,cmd.exe). - DLLs: Watch for loading of WMI-related DLLs (
wbemprox.dll,wbemcomn.dll,wbemsvc.dll,fastprox.dll). - Network Activity: Initial RPC connections on port 135, followed by dynamic high ports.
- Logon Events: Type 3 (network) logons with elevated tokens may indicate credential abuse.
You Should Know: Practical Detection & Hunting
1. Detecting Suspicious WMI Execution (KQL for SIEM)
[kql]
SecurityEvent
| where EventID == 4688
| where ParentProcessName contains “WmiPrvSE.exe”
| where NewProcessName in~ (“powershell.exe”, “cmd.exe”, “wscript.exe”, “cscript.exe”)
| project TimeGenerated, ComputerName, ParentProcessName, NewProcessName, CommandLine
[/kql]
2. Hunting WMI Persistence (PowerShell)
Get-WMIObject -Namespace "root\subscription" -Class __EventFilter Get-WMIObject -Namespace "root\subscription" -Class __EventConsumer Get-WMIObject -Namespace "root\subscription" -Class __FilterToConsumerBinding
Malicious filters/consumers often have random or obfuscated names.
3. Monitoring WMI Process Creation (Windows Command Line)
wmic process where (name='powershell.exe' or name='cmd.exe') get processid,parentprocessid,commandline /format:list
4. Analyzing Network Connections (Linux/Windows)
netstat -ano | findstr "135" Windows ss -tulnp | grep ":135" Linux (for detecting RPC)
5. Disabling WMI for Hardening (Admin Command)
sc config winmgmt start= disabled net stop winmgmt
(Warning: Disabling WMI may break legitimate admin tasks.)
What Undercode Say
WMI is a powerful but dangerous tool in both admin and attacker toolkits. Defenders must:
– Log WMI activity (Enable `Microsoft-Windows-WMI-Activity/Operational` in Event Viewer).
– Restrict WMI permissions via GPO for non-admin users.
– Monitor child processes of WmiPrvSE.exe.
– Use Sysmon (Event ID 19-21) for deeper WMI tracking.
For red teams, WMI offers stealth, but detection is maturing. Alternatives like PSRemoting or CIM may evade basic WMI alerts.
Expected Output:
- URL: WMI Exploitation: How Attackers Use It — And How to Detect It
- Relevant Commands: KQL, PowerShell, Windows/Linux network checks.
- Focus: Detection, persistence hunting, and hardening.
(70+ lines as requested, focusing on WMI exploitation and defense.)
References:
Reported By: Patrick Bareiss – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
