Attackers Abuse WMIC to Download Malicious Files

This tactic is commonly used by adware and spyware. Identify the parent process of the file concatenation, and search for hashes in public malware databases to determine if it is known adware. Analyze process activity before and after concatenation. Malicious actors may create their own copy of these programs rather than use the one in the default install location. This detection identifies commands commonly observed in activity related to Covenant, a popular C2 framework.

This detection identifies reg. NET C compiler, is used by malicious actors to compile and execute malicious C code. Malicious actors can use the trusted PubPrn. Investigate the script in the command line arguments, the remote host the script was executed from, and any child processes created.

This detection identifies CScript or WScript spawning child processes whose binary is located within the Users directory. This occurs when malicious actors drop payloads to disk in the user-writable Users directory and then invoke the script that performs the malware drop.

This detection identifies the binary 'ctfmon. Malicious actors commonly attempt to disguise malware as legitimate Windows system binaries. Often these can be detected if a Windows system binary name is observed in an odd location.

Examine the commandline arguments of the renamed program for malicious indicators. This has been observed being used by malicious actors post compromise of Jenkins servers. This detection identifies the Curl utility being used to access a remote IP address. Malicious actors often use utilities, such as Curl to download additional payloads after gaining access to a target resource.

Examine the IP address that is being contacted. Examine the contents of the directory. This detection identifies the default function names of various exploitation frameworks being run by rundll This command destroys the catalog of backups created by the Windows Server Backup snap-in. This technique is used by malicious actors deploying ransomware to increase the likelihood of a target paying the ransom. This technique is used by malicious actors during a ransomware attack to destroy backup copies of files on a system to increase the likelihood of a target paying to retrieve their data.

Other legitimate software may use this to minimize disk usage. This detection identifies the file ld. This file contains a list of libraries that will be loaded by any user-mode process, and a malicious actor may replace it with one that points to their own malicious code. Investigate the contents of the ld. Malicious actors may use this to force accounts to authenticate locally. Ensure that this is part of authorized administrator activity.

Investigate the file that is hosted at the Discord URL. This detection identifies Reg. This may be done by malicious actors who are setting up malicious services. Investigate the service DLL that is added. Attempt to deobfuscate any obfuscated PowerShell script. This detection identifies the string '[d. This is indicative of certain PowerShell-based malware. Acquire and analyze the loaded DLL. Ensure that the activity is not part of authorized testing. This technique is used by malicious actors to perform remote command execution.

This detection identifies suspicious use of DNX. Determine whether parent and child processes of DNX. Investigate the files or folders included in the DNX. Rapid7 has observed malicious actors using this technique to retrieve malware from external locations by sending malicious documents to targets. This detection identifies domain names for common dynamic DNS services. Malicious actors can use dynamic DNS services to mask their infrastructure.

Investigate the domain and the process that spawned the command. This detection identifies the echo command being used to redirect output to a system pipe. This behavior is observed in post-exploitation frameworks like Cobalt Strike. This detection identifies a specific code page number being set by Reg. This is often used inJavaScript loaders that attempt to pull down additional malware or ransomware to be executed.

Review web traffic for affected assets and the contents of the JavaScript being run to identify any possible URLs that it may be attempting to download from, and look for child processes of this process. This process is used by malicious actors through multiple post-exploitation frameworks, such as Cobalt Strike and Metasploit.

This command repairs the extensible storage engine's database, NTDS. This technique is used by malicious actors to obtain a copy of the password hashes on the compromised system. Review the file location in the command line and validate that the activity performed by the user is intended and allowed.

Malicious actors may send this file to a target user as a phishing attachment. Examine any child processes of Excel. This technique is used by malicious actors to send malicious documents to targets that retrieve and execute malware from external locations when opened. Investigate any web-accessible directories for suspicious files. This detection identifies the netsh firewall command being used to allow all connections by a process. This tactic is used in several malware families, such as NJRat.

This detection identifies malware being run by a malicious actor from an administrative share as a means of detection evasion. Administrative shares are hidden network shares intended to allow system administrators to have remote disk access to all systems in a network environment. This directory has been identified as a staging directory used by malicious actors such as the IcedID malware. This detection identifies executables being launched from the root of the recycle bin, which is a common staging directory for malicious actors.

Legitimate executables will never run out of the root of the recycle bin directory. Review the process activity on the host to identify other suspicious behavior.

Retrieve the binary in question and perform analysis on its behavior if the hash is unknown. This detection identifies processes being executed from the root of ProgramData. This is often used as a staging directory by malicious actors. This detection identifies processes being from the root of Users.

This detection identifies binaries executing from the System Volume Information directory. This directory exists by default at the root of an NTFS drive. Malicious actors may use this location to hide malware. Examine the process that executed and the contents of the System Volume Information directory. This detection identifies the use of JScript Encoded. JSE files. Encode function. This function was designed to protect JavaScript source code from being viewed, but can be used by malicious actors to obfuscate the contents of malicious JavaScript files.

This detection identifies exe, dll, and ps1 files being copied from an SMB share to a local drive. This may be done by malicious actors to deploy tools onto new systems. This detection identifies the use of 'expand. Rapid7 has observed malicious actors using this utility in these directories when decompressing archives containing tools and malware. Malicious actors perform this activity after compromising a web application. This detection identifies binaries named 'explorer.

Malicious actors may use names like this in an effort to evade detection by blending in with legitimate processes. This detection identifies the execution of JavaScript files by the Explorer process. This occurs when the file is executed by a user via the GUI, which may indicate that the user has received a malicious JavaScript file and is executing it.

Malicious JavaScript files are commonly used as spearphishing attachments. Acquire and analyze the JavaScript file being run. This detection identifies a shell com object being used in PowerShell to unzip and copy files. This has been observed in malicious PowerShell scripts as a way to deploy additional malicious code. This detection identifies the Certificate Request utility, CertReq.

A malicious actor may do this in order to pull down additional tools, or for exfiltration purposes. Investigate the URL being contacted. The Windows utility 'finger. This technique is used by malicious actors to use malicious documents for exploitation.

Review the process in question. If it is malicious, quarantine the asset, lock the user's account, and reset the credentials. This detection identifies FSUtil being used to overwrite a file on disk with zeros. This has been observed in the LockerBit malware, which overwrites its own binary to hinder forensic investigation. A malicious actor could use the capabilities of this utility to execute malicious scripts. This utility is also used by malicious actors in the PoshC2 post-exploitation framework to execute scripts hosted on a remote web server controlled by a malicious actor.

Malicious actors may host code on one of those services and pull directly from them when deploying to a compromised host. Investigate the contents of the file being downloaded. CHM files, which are often used maliciously to run commands using a number of possible built-in Windows utilities to download malware and compromise the system. Malicious help files are often sent via phishing emails. Review the command line arguments being passed from HH.

Investigate the contents of the chm file - CHM files can be decompiled using the command 'hh. This detection identifies 'icacls. Malicious actors, including the Ryuk ransomware, have done this to ensure the necessary permissions are available on the drives it encrypts. This detection identifies the process 'IEExec. NET Framework utility, being used to download files. This may be done by a malicious actor as a way to download second stage payloads.

Malicious actors may use this to execute malware. The following commands are run when Invisi-Shell starts. Note that the reg. Investigate any child processes spawned by PowerShell following this activity.

This detection identifies the use of Invoke-PSImage. Invoke-PSImage is a tool used to encode a PowerShell command in an image, which can then be downloaded and executed using a PowerShell command. Investigate the URL being downloaded from. This detection identifies the url iplogger. This is a tactic used by Java-based RAT droppers. Examine the process that spawned the command, and anything else that process may have spawned. This detection identifies the filenames Chrome.

This file name is commonly used by the FakeUpdate malware. This detection identifies taskkill or net stop being used to kill multiple instances of database software within a short amount of time. This has been observed in ransomware actors who are attempting to kill processes that are locking databases so that those databases can be encrypted.

Ensure that this is part of expected activity. This detection identifies use of the command line tool klist to request a Kerberos ticket on behalf of a certain host. Attackers may use this to authenticate and move laterally. Determine if this is part of authorized IT activity. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the users on both the source and target machines change their passwords.

Investigate the target host for any suspicious activity around this same time frame. This detection identifies the execution of system environment variables that are used to display the installation progress during a drop of the fileless malware Kovter. This detection identifies. Malicious actors may use. Attempt to determine what the PowerShell command is doing - it may be heavily obfuscated. Examine the. This detection identifies the execution of hashes that have been identified as malicious by the hash reputation service.

This detection identifies hundreds of copy commands on one endpoint within a few minutes to remote systems. Review the file being copied to validate if it is malicious. If it is, remove it from all locations, and identify and lock accounts being used to copy the files. If necessary, rebuild the hosts from a known, good source and have the users change their passwords.

This detection identifies a Microsoft Office application launching the Curl utility. This may be done by malicious documents attempting to download a second stage payload. Attempt to identify the document that caused Curl to execute. Examine any other processes launched by the Office application.

This detection identifies 'nvdtm. Execution of 'nvdtm. Examine any other children that the Word or Office process may have spawned. This behavior is indicative of exploitation of CVE, an exploit which allows an attacker to craft a document that contains a malicious ActiveX control that can execute arbitrary code.

Attempt to determine the document that caused this activity. Examine anything that may have been spawned by control. Examine the process that was spawned, and any additional processes that that process may have spawned. This command has been observed in ransomware samples. This key contains scripts to be run upon login, and can be modified by malicious actors to achieve persistence. This detection identifies the local firewall being modified using netsh. Determine whether this is authorized administrator activity.

Investigate any child processes of MSBuild. Acquire additional process artifacts and identify the root cause of the suspicious process. The source could be a document sent by a malicious actor to the user by email. Investigate the user's inbox to identify any malicious emails, and determine if any other users have received the email.

This detection identifies the Microsoft Troubleshooter utility being used to execute a program. Malicious actors do this to bypass application security controls. By placing a crafted DLL file named 'oci. If possible, examine the contents of the registry key. This has been observed in malicious. Review the contents of the file being read. This technique was first used by the Kovter malware family, and is able to run Javascript and Visual Basic VB on the command line.

This detection identifies console commands which contact myip. This behavior is often observed in use by malicious actors who are attempting to determine a system's external IP address.

This detection identifies Netcat, a utility for reading and writing data across network connections. Malicious actors use Netcat for several malicious activities, such as data exfiltration or as a reverse shell. This detection identifies the deprecated IPSec command being used to manipulate the local firewall.

Malware such as Lockergoga uses this utility to disable network connections. This detection identifies certain Netsh commands being used to modify the local firewall. Malicious actors, in particular the Cerber ransomware, have been observed engaging in this kind of activity. Malicious DLL files can be loaded with netsh.

Investigate any child processes of netsh. This detection identifies use of the netsh portproxy command, which can be used by malicious actors to tunnel egress traffic. This detection identifies Ngrok being run out of a user's directory. Ngrok is a legitimate utility that is sometimes abused by attackers to tunnel traffic out to the internet. This detection identifies registry keys that have been obfuscated using string concatenation.

Malicious actors will break up strings in order to evade detection by string matching-based detections. Investigate the contents of the registry key in the command line.

Investigate the DLL that is being registered. This detection identifies the use of various command line utilities against a. This detection identifies command line output being redirected to a single character text file. This is often done by malicious actors writing credentials or system information to a file. Investigate the contents of text file being written. Pastebin is often used by malicious actors to host malicious scripts. Investigate the file being served from the Pastebin URL if it is still active.

The environment variable points to the location on the file system that contains Visual Basic Script VBS , which is used by malicious actors to execute malware on the compromised host. This detection identifies attempts at using certain file path syntax to attempt to evade detection. By including two dots in a file path, which is the shortcut for parent directory, a malicious actor can include directories in a file path that do not exist, or directories for files they are not actually accessing.

Malware, such as Emotet, uses this tactic to evade simple detections that strictly match on a file path. Investigate the process that tries to load something with an obfuscated file path, and investigate any processes that are launched from that file path. This detection identifies a deubgger being set for Windows accessibility tools. Windows has a number of accessibility programs that are accessible on a locked PC in order to allow users who need the tools to log in, such as 'magnify.

An attacker can set the debugger for these applications to, or replace them binaries with, a binary of their choosing, allowing the attacker to run them without being logged in. Investigate any child processes launched by the accessibility tool, and any application that has been set as the debugger for that tool. Determine if the binary for the accessibility tool is the original Microsoft binary.

This detection identifies a malicious actor using the ping command and piping the output to another executable, which will cause that executable to run.

Malicious actors do this to attempt defense evasion. Investigate the executable that is being piped to. This detection identifies 'PkgMgr. The actor will then run pkgmgr. The malicious DismCore. The legitimate DismCore. A malicious actor can execute arbitrary code by passing a DLL file as an argument to the Windows Update client wuauclt. This detection identifies the use of 'MavInject.

Malicious actors can use the signed and trusted Microsoft utility, MavInject to inject a malicious DLL into a running process. NET that can be used to execute arbitrary code from a trusted process, bypassing application whitelisting.

Investigate surrounding events, and acquire and analyze any XML files in command line. This detection identifies possible protocol handler poisoning attacks, in which a new protocol handler is added to Windows in order to execute a specified malicious command.

These binaries can be used by a malicious actor to execute unsigned code, which bypasses application whitelisting. This detection identifies MMC. Examples: Execution of a script from a WebDav server: appvlp.

Investigate the process that is being executed by Dxcap. Examine the parent process of Dxcap. Investigate the contents of the script that is being run. The MSXSL utility can be used to execute arbitrary code stored in an xsl file, bypassing defenses like application whitelisting. This can be done with a locally stored xsl file, or with a remote file over HTTP. Investigate the contents of the XSL file. This detection identifies SLUI. Check the contents of the registry key being modified.

This detection identifies PowerShell or Bitsadmin attempting to retrieve content from GitHub domains. Malicious actors often use code stored on GitHub in order to evade defenses. Review the process execution timeline on the host to identify other attacker related activity. Review the URL being passed to the binary and determine if this object's use is authorized. Identifies the System. Connect function in PowerShell being used to initiate a connection to a remote IP address.

Investigate the IP address that is being contacted. Malicious actors may use this function to capture the contents of the screen. Attempt to determine what the PowerShell script is doing with the screen data gathered by CopyFromScreen. This detection identifies use of the System. Investigate the remote IP address being contacted. This technique is used by malicious actors to remove backup copies of files immediately prior to the execution of ransomware to increase the likelihood of a target paying the ransom.

TXT records can be used by attacks to contain C2 information for malware. Investigate the contents of the TXT records being queried. This detection identifies executable files downloaded by PowerShell using the DownloadFile function. Malicious actors will often use this to download second stage payloads. Investigate the URL being contacted and the file downloaded from it. Malicious actors may use this function as part of a keylogger.

This detection identifies the use of [Windows. Clipboard]::GetText in PowerShell, which has been used by PowerShell-based backdoors, such as Empire to acquire the contents of a target user's clipboard.

Determine what else is done by the PowerShell script being executed, and if it is expected or otherwise benign behavior. This detection identifies the use of Invoke-WebRequest being passed to PowerShell in the command line in order to retrieve data from a remote system for later execution. Review the file being retrieved and the process history of the host in order to identify other attacker related activity.

This detection identifies interaction with MemoryStream objects in PowerShell. A MemoryStream object is a stream of bytes stored in memory.

Malicious actors use MemoryStreams objects to store non-printable code, such as shellcode or portable executable files. Analyze the PowerShell command for suspicious contents. There may be data in the command that is encoded using base64, gzip, or other means. Attempt to reverse any obfuscation to further investigate what the command is doing. This detection identifies PowerShell being used to push a Group Policy update to all systems found in Active Directory.

Ransomware, in particular the LockBit ransomware, has been observed doing this in order to disable Windows Defender across the environment. Ensure that the change in group policy is rolled back. This detection identifies use of the Reflection. Assembly class in PowerShell. Assembly class can be used by attackers to perform reflective DLL injection and cause a malicious DLL to execute in-memory.

This attack vector is used by malicious actors, but not common. The resulting output is the valid Base This detection identifies PowerShell as a child process of ForFiles. This has been observed in use by malicious, who will use ForFiles.

Malicious actors use this writable directory to save and execute malware retrieved by downloaders. This detection identifies execution of '. This technique is used by malicious actors in order to proxy the execution of malicious code through a known and trusted binary. This technique is used by malicious actors to drop banking trojans. This detection identifies the use of the PowerShell System.

Investigate any IP addresses identified in the command. Malicious actors use this technique embedded within malicious documents. This detection identifies the use of the PowerShell. This is often used by malicious documents in order to perform the transfer of the payload to the endpoint for later execution.

Review the file being downloaded and the URL being contacted. This detection identifies processes being executed directly from live. SysInternals hosts a collection of tools used by administrators and sometimes malicious actors.

This detection identifies scheduled tasks that are attempting to be created and called from locations that are writable by the user. Analyze the contents of the task being created. Rogue processes being spawned may be an indication of a successful attack against these systems and has been observed targeted by various malicious actors. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having any possibly effected uses change their passwords.

This detection identifies processes spawned by 'sapstartsrv. Malicious actors could use this to create web application accounts on vulnerable systems and execute commands under the context of a privileged user. This detection identifies Python being used to download and execute a script from a remote destination.

This may be done by malware attempting to download and execute second stage payloads. Investigate the contents of the URL that the script was downloaded from. This detection identifies 'RegASM. Malicious actors have been identified bringing their own copy of 'RegASM.

This detection identifies RegASM. This may be indicative of process injection or a signed binary proxy execution. This detection identifies RegEdit being used to import a registry file from the Temp directory.

Malicious actors have been observed importing registry keys as a method of maintaniing persistence. This detection identifies the use of reg. A registry key that is often deleted is DisabledItems. By deleting this key, any disabled add-ins will be re-enabled.

This tactic is used by the malicious PowerWorm PowerShell module for generating malicious documents. Determine whether there is a legitimate reason for the parent process to delete this key. Look for any suspicious behavior associated with Word or Excel, and investigate any child processes they may have spawned. This detection identifies the 'Reg.

Any folder designated as a startup folder will execute its contents on boot, and malicious actors may do this to achieve persistence. Investigate the contents of the folder that was set as the new Startup folder. Querying this key will produce a list of historical connections made from the Remote Desktop client. Malicious actors can use this information to identify targets for lateral movement. Determine whether the user querying the key had a legitimate reason for doing so.

Investigate any RDP activity to or from the host in the time frame surrounding the command being run. The command will look similar to: reg. Investigate the user account that is being hidden and ensure it is an account that is authorized to be on the system. This tactic is used by the LaZagne credential extraction tool. RegSvr32 is used by malicious actors to execute malicious DLL files. ProgramData is a common staging directory for these files. If the registered file is still on disk, acquire it and analyze it.

If it is an XML file, it can be analyzed in a plain text editor to determine its purpose. This has been observed in use by malicious actors. Examine the child commands being executed. This may be indicative of a malicious COM object being executed. This detection identifies use of the deprecated Windows 'at. This utility is often used by malicious actors to remotely execute code. Investigate the target host for any activity following this command. This detection identifies a user creating a service on a remote system.

This can be done by malicious actors to move laterally. This detection identifies renamed copies of CertUtil. Malicious actors have been observed using renamed copies of CertUtil - either brought with them into the environment or copied from the PowerShell binary already present on the system - to download malicious code and evade defenses.

Investigate any URLs that appear in the command line. This detection identifies CMD. Malicious actors may make a copy of CMD. Investigate any commands run by the renamed CMD. This detection identifies Microsoft.

This detection identifies arguments consistent with MSBuild. This has been observed in malicious activity and used to compile malicious C payloads. This detection identifies renamed instances of Netcat, a tool used to read and write from network sockets that is frequently abused by malicious actors.

This detection identifies renamed copies of PowerShell. But when a web browser asks a server for this file, malicious code executes server side. These challenges in detecting web shells contribute to their increasing popularity as an attack tool. We constantly monitor how these evasive threats are utilized in cyberattacks, and we continue to improve protections. In the next section, we discuss how behavior-based detection technologies help us protect customers from web shell attacks.

Gaining visibility into internet-facing servers is key to detecting and addressing the threat of web shells. To tackle challenges in detecting these threats, Microsoft Defender for Endpoint uses a combination of durable protections that prevent web shell installation and behavior-based detections that identify related malicious activity.

Microsoft Defender for Endpoint exposes malicious behavior by analyzing script file writes and process executions. Due to the nature of web shells, static analysis is not effective—as we have shown, it is relatively easy to modify web shells and bypass static protections. To effectively deliver protection, Microsoft Defender for Endpoint uses multiple layers of protection through behavior inspection. Behavior-based blocking and containment capabilities , which use engines that specialize in detecting threats by analyzing behavior, monitor web-accessible directories for any new script file creation.

While file creation events alone cannot be treated as suspicious, correlating such events with the responsible process tree can yield more reliable signals and surface malicious attempts.

The engine can then remediate the script, neutralizing the primary infection vector. For example, IIS instance w3wp. Microsoft Defender for Endpoint also detects web shell installation attempts originating from remote systems within the organization using various lateral movement methods. On the web server, these remote actions are carried by system processes, thus giving visibility into the process tree. System privilege process dropping script files is another suspicious event and provides the behavior inspection engines ways to remediate the script before the attackers can perform any malicious actions.

Behavior-based protection also provides post-compromise defense in scenarios where attackers are already operating and running commands on web servers. Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications.

IIS instance w3wp. IIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances w3wp. The behavior engine monitors execution of such cmdlets and the responsible process trees, for example:. With its behavior-based blocking and containment capabilities, Microsoft Defender for Endpoint can identify and stop behavior associated with web shell attacks.

It raises alerts for these detections, enabling security operations teams to use the rich investigation tools in Microsoft Defender for Endpoint to perform additional investigation and hunting for related or similar threats.

Figure 5. Microsoft Defender for Endpoint alerts for behaviors related to web shell attacks. Microsoft Defender and Microsoft Defender for Endpoint customers can also run advanced hunting queries to proactively hunt for web shell attacks:. Look for suspicious process that IIS worker process w3wp.

A single web shell allowing attackers to remotely run commands on a server can have far-reaching consequences. With script-based malware, however, everything eventually funnels to a few natural chokepoints, such as cmd.

As with most attack vectors, prevention is critical. Web shells and the attacks that they enable are a multi-faceted threat that require comprehensive visibility across domains and platforms. Microsoft Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection.

Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender Skip to main content. Empire can use WMI to deliver a payload to a remote host. EvilBunny has used WMI to gather information about the system. FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.

Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version. Impacket 's wmiexec module can be used to execute commands through WMI. Kazuar obtains a list of running processes through WMI querying.

Koadic can use WMI to execute commands. Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement. Leviathan has used WMI for execution. Lucifer can use WMI to log into remote machines for propagation. Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network. MoleNet can perform WMI commands on the system.

Mosquito 's installer uses WMI to search for antivirus display names. MuddyWater has used malware that leveraged WMI for execution and querying host information. Naikon has used WMIC. NotPetya can use wmic to help propagate itself across a network. Octopus has used wmic. OilRig has used WMI for execution. Olympic Destroyer uses WMI to help propagate itself across a network. Operation Wocao has used WMI to execute commands.

PoshC2 has a number of modules that use WMI to execute tasks. QakBot can execute WMI queries to gather information. Remexi executes received commands with wmic. REvil can use WMI to monitor for and kill specific processes listed in its configuration file. RogueRobin uses various WMI queries to check if the sample is running in a sandbox. SharpStage can use WMI for execution. Sibot has used WMI to discover network connections and configurations. Stuxnet used WMI with an explorer.

Valak can use wmic process call create in a scheduled task to launch plugins and for execution. WannaCry utilizes wmic to delete shadow copies. Windshift has used WMI to collect information about target machines. One variant of Zebrocy uses WMI queries to gather information. Note: many legitimate tools and applications utilize WMI for command execution.

Use application control configured to block execution of wmic. Prevent credential overlap across systems of administrator and privileged accounts.

By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Perform process monitoring to capture command-line arguments of "wmic" and detect commands that are used to perform remote behavior.

Active Scanning. Scanning IP Blocks. Vulnerability Scanning. Gather Victim Host Information. Client Configurations. Gather Victim Identity Information. Email Addresses. Employee Names. Gather Victim Network Information. Domain Properties. Network Trust Dependencies. Network Topology. IP Addresses. Network Security Appliances. Gather Victim Org Information. Determine Physical Locations. Business Relationships. Identify Business Tempo. Identify Roles. Phishing for Information. Spearphishing Service.

Spearphishing Attachment. Spearphishing Link. Search Closed Sources. Threat Intel Vendors. Purchase Technical Data. Search Open Technical Databases. Digital Certificates. Scan Databases. Social Media. Search Engines. Search Victim-Owned Websites. Resource Development. Acquire Infrastructure. DNS Server. Virtual Private Server. Web Services.

Compromise Accounts. Social Media Accounts. Email Accounts. Compromise Infrastructure. Develop Capabilities. Code Signing Certificates. Establish Accounts. Obtain Capabilities. Stage Capabilities. Upload Malware. Upload Tool. Install Digital Certificate. Drive-by Target. Link Target. Initial Access. Drive-by Compromise. Exploit Public-Facing Application. External Remote Services. Hardware Additions.

Spearphishing via Service. Replication Through Removable Media. Supply Chain Compromise. Compromise Software Dependencies and Development Tools. Compromise Software Supply Chain. Compromise Hardware Supply Chain. Trusted Relationship. Valid Accounts. Default Accounts. Domain Accounts. Local Accounts. Cloud Accounts. Command and Scripting Interpreter. Windows Command Shell. Unix Shell. Visual Basic. Network Device CLI. Container Administration Command.

Deploy Container. Exploitation for Client Execution. Inter-Process Communication. Component Object Model. Dynamic Data Exchange. Native API. At Linux. At Windows. Scheduled Task. Systemd Timers. Container Orchestration Job. Shared Modules. Software Deployment Tools. System Services. Service Execution. User Execution.

Malicious Link. Malicious File. Malicious Image. Windows Management Instrumentation. Account Manipulation. Additional Cloud Credentials. Exchange Email Delegate Permissions. Add Office Global Administrator Role. SSH Authorized Keys. BITS Jobs. Boot or Logon Autostart Execution.

Authentication Package. Time Providers. Winlogon Helper DLL. Security Support Provider. Kernel Modules and Extensions. Re-opened Applications. Shortcut Modification. Port Monitors. Plist Modification. Print Processors. XDG Autostart Entries. Active Setup. Login Items. Boot or Logon Initialization Scripts. Logon Script Windows. Logon Script Mac. Network Logon Script. RC Scripts. Startup Items. Browser Extensions. Compromise Client Software Binary. Create Account.

Local Account. Domain Account. Cloud Account. Create or Modify System Process. Launch Agent. Systemd Service. Windows Service. Launch Daemon. Event Triggered Execution. Change Default File Association. Windows Management Instrumentation Event Subscription.

Unix Shell Configuration Modification. Netsh Helper DLL. Accessibility Features. AppCert DLLs. AppInit DLLs. Application Shimming. Image File Execution Options Injection. PowerShell Profile. Component Object Model Hijacking. Hijack Execution Flow. DLL Side-Loading. Dylib Hijacking. Executable Installer File Permissions Weakness. Dynamic Linker Hijacking.

Path Interception by Search Order Hijacking. Path Interception by Unquoted Path. Services File Permissions Weakness. Services Registry Permissions Weakness. Implant Internal Image.

Modify Authentication Process. Domain Controller Authentication. Password Filter DLL. Pluggable Authentication Modules. Network Device Authentication. Office Application Startup. Office Template Macros.

Office Test. Outlook Forms. Outlook Home Page. Outlook Rules. Pre-OS Boot. System Firmware. Component Firmware. TFTP Boot. Server Software Component. SQL Stored Procedures. Transport Agent. Web Shell. IIS Components. Traffic Signaling. Port Knocking. Privilege Escalation. Abuse Elevation Control Mechanism. Setuid and Setgid. Bypass User Account Control. Sudo and Sudo Caching. Elevated Execution with Prompt. Access Token Manipulation. Create Process with Token.

Make and Impersonate Token. Parent PID Spoofing. SID-History Injection. Domain Policy Modification. Group Policy Modification. Domain Trust Modification. Escape to Host. Exploitation for Privilege Escalation. Process Injection. Dynamic-link Library Injection. Portable Executable Injection. Thread Execution Hijacking.

Asynchronous Procedure Call. Thread Local Storage. Ptrace System Calls. Proc Memory. Extra Window Memory Injection. Process Hollowing. VDSO Hijacking. Defense Evasion. Build Image on Host. Direct Volume Access. Execution Guardrails. Environmental Keying. Exploitation for Defense Evasion. File and Directory Permissions Modification. Windows File and Directory Permissions Modification.

Hide Artifacts. Hidden Files and Directories. Hidden Users. Hidden Window. Hidden File System. Run Virtual Instance. VBA Stomping. Email Hiding Rules. Resource Forking. Impair Defenses. Disable or Modify Tools. Disable Windows Event Logging. Impair Command History Logging. Disable or Modify System Firewall.

Indicator Blocking. Disable or Modify Cloud Firewall. Disable Cloud Logs. Safe Mode Boot. Downgrade Attack.