Windows Management Instrumentation

Description

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. 

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows ServicesPlugin ID: 44401
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal Users, Groups and Group membershipPlugin ID: 71246
Tenable Vulnerability ManagementAdvanced Network ScanWindows machinesAuthenticated ScanOS CommandComputer ConnectivityPlugin ID: 64582

References

Enumerate Local Group Memberships

Microsoft Windows SMB Service Config Enumeration

Netstat Connection Information

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Execution

Platform: Windows

Tenable Release Date: 2022 Q3