Windows management instrumentation (WMI) is a tool that is implemented as a service to locally and remotely manages data, operations and configuring settings on windows operating systems.

WMI allows the administrator to see how the Operating system operates, what are its configurations and properties and to automatically collect a systems hardware and software data.

Malware/Threat actors

Name Type Years Source
Operation Cleaver threat actor 2012-2013 Cylance_Operation_Cleaver_Report.pdf

stamp.jsp?tp=&arnumber=7460498&tag=1

TEMP.Demon threat actor 2018 rpt-mtrends-2019.pdf

Lazarus Group threat actor 2011-2014 Operation-Blockbuster-Report.pdf

Operation-Blockbuster-RAT-and-Staging-Report.pdf

Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf

Operation-Blockbuster-Destructive-Malware-Report.pdf

HURRICANE PANDA threat actor 2014 GlobalThreatIntelReport.pdf

ICIT-Brief-China-Espionage-Dynasty.pdf

Threat%20Group%20Cards.pdf

GlobalThreatIntelReport.pdf

Stuxnet malware 2008 R41524.pdf

w32_stuxnet_dossier.pdf

stuxnet_0_5_the_missing_link.pdf

APT10 threat actor 2018 cloud-hopper-report-final-v4.pdf

cloud-hopper-report-final-upda_72977.pdf

cta-2019-0206.pdf

Wild Neutron threat actor 2013-2015 WildNeutron_Economic_espionage.pdf

ICIT-Brief-Know-Your-Enemies-2.0.pdf

Wiper malware 2014 TA14-353A_wiper.pdf

Operation Hangover malware 2015-2016 NS-Unveiling-an-Indian-Cyberattack-Infrastructure_FINAL_Web.pdf

Unveiling%20an%20Indian%20Cyberattack%20Infrastructure%20-%20appendixes.pdf

Preventions

<Mitigation techniques>

Detections

  • Create a list of systems that will be used by IT to remotely administrate machines. Monitor network connections using WMI that are not within this list.
  • Apply an algorithm on machines doing one-to-many connections in a specified time window using WMI.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

References