HOME
ABOUT
- RESULTS
- differences
- BENEFITS
- HISTORY
- TEAM
- LOCATION
- FACILITIES
- BANKING
- MEMBERSHIPS
- APPROVALS
- LICENCES
- SUPPLIERS
- SPONSORSHIPS
- MEDIA
- PRIVACY
AUCTIONS
SHIPPING
FEES
- TS REWARDS
TOOLS
guides
FAQ
CONTACT
- CONNECT

VEHICLES
BRAND
- JAPANESE CARS
  - DAIHATSU
  - EUNOS
  - FORD
  - HONDA
  - ISUZU
  - LEXUS
  - MAZDA
  - MITSUBISHI
  - MITSUOKA
  - NISSAN
  - SUBARU
  - SUZUKI
  - TOYOTA
- GERMAN CARS
- AMERICAN CARS
- BRITISH CARS
- ITALIAN CARS
- FRENCH CARS
- SWEDISH CARS
- KOREAN CARS
TYPE
- mobility
- VENDING
- instruction
- TAXIS
- AMBULANCES
- FIRE ENGINES
- HEARSES
- LIMOUSINES
- COMMERCIAL
CLASS
FUEL
TRUCKS
minitrucks
- DAIHATSU
- HONDA
- MAZDA
- MITSUBISHI
- NISSAN
- SUBARU
- SUZUKI
- DUMP
- CRANE
- CAMPER
- REFRIGERATED
- 4WD
- NEW
BUSES
MOTORHOMES
- YAHOO!
- RAKUTEN
- DEALER

PARTS
- FREE REPORT
- PARTS CONTAINERS
- PARTS SYSTEMS
- PARTS PROTECTION
- BODY SHELLS
- DISMANTLING
- ONLINE PARTS
- NEW PARTS
- INTERIOR PARTS
- EXTERIOR PARTS
  - BONNETS
  - BUMPERS
  - GRILLES
  - FENDERS
  - DOORS
  - TRUNKS
  - SPOILERS
  - LIGHTS
  - EMBLEMS
  - CAMERAS
- ENGINES
- TRANSMISSIONS
- WHEELS & TYRES
  - WHEELS
  - TYRES
CUTS
PERFORMANCE PARTS
TRUCK PARTS
MOTORBIKE PARTS
- MOTORBIKE ENGINES
- MOTORBIKE ACCESSORIES

MOTORBIKES
MARINE
FORKLIFTS
MACHINERY
AGRICULTURAL
OTHER
COUNTRY
- AUSTRALIA
- CANADA
- KENYA
- MYANMAR
- NEW ZEALAND
- PAKISTAN
- TANZANIA
- UNITED STATES

CARVIEW

MOTORHOMES

Select Language

HTTP/2 301 server: GitHub.com content-type: text/html x-origin-cache: HIT location: https://attack.mitre.org/techniques/T1047/ access-control-allow-origin: * expires: Sat, 02 Aug 2025 14:53:34 GMT cache-control: max-age=600 x-proxy-cache: MISS x-github-request-id: 3258:467B9:A2711:C1D03:688E240E accept-ranges: bytes age: 0 date: Sat, 02 Aug 2025 14:43:34 GMT via: 1.1 varnish x-served-by: cache-bom-vanm7210071-BOM x-cache: MISS x-cache-hits: 0 x-timer: S1754145814.929730,VS0,VE204 vary: Accept-Encoding x-fastly-request-id: 7033d38576ec313848af9adb3a2ff89eba7f851e content-length: 162 HTTP/2 200 server: GitHub.com content-type: text/html; charset=utf-8 last-modified: Wed, 02 Jul 2025 17:47:42 GMT access-control-allow-origin: * etag: W/"686570be-52c39" expires: Sat, 02 Aug 2025 14:53:34 GMT cache-control: max-age=600 content-encoding: gzip x-proxy-cache: MISS x-github-request-id: CD17:48FDA:E644B:1102CF:688E2414 accept-ranges: bytes age: 0 date: Sat, 02 Aug 2025 14:43:34 GMT via: 1.1 varnish x-served-by: cache-bom-vanm7210071-BOM x-cache: MISS x-cache-hits: 0 x-timer: S1754145814.147473,VS0,VE206 vary: Accept-Encoding x-fastly-request-id: 84ad8389a4be778635d23d432e3c36eee9a4d557 content-length: 58009 Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK®

Matrices
Enterprise Mobile ICS
Tactics
Enterprise Mobile ICS
Techniques
Enterprise Mobile ICS
Defenses
Data Sources
Mitigations
Enterprise Mobile ICS

Assets
CTI
Groups Software Campaigns
Resources
Get Started Learn More about ATT&CK ATT&CKcon ATT&CK Data & Tools FAQ Engage with ATT&CK Version History Updates Legal & Branding
Benefactors
Blog

ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

Home
Techniques
Enterprise
Windows Management Instrumentation

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.^[1] WMI is an administration feature that provides a uniform environment to access Windows system components.

The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.^[1] Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.^[1] ^[2]

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.^[2] For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).^[3]

Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being "disabled by default" on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.^[4] In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.^[4]

ID: T1047

Sub-techniques: No sub-techniques

ⓘ

Tactic: Execution

ⓘ

Platforms: Windows

Contributors: @ionstorm; Olaf Hartong, Falcon Force; Tristan Madani

Version: 1.6

Created: 31 May 2017

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
C0025	2016 Ukraine Electric Power Attack	During the 2016 Ukraine Electric Power Attack, WMI in scripts were used for remote execution and system surveys. ^[5]
S1028	Action RAT	Action RAT can use WMI to gather AV products installed on an infected host.^[6]
S0331	Agent Tesla	Agent Tesla has used wmi queries to gather information from the system.^[7]
S1129	Akira	Akira will leverage COM objects accessed through WMI during execution to evade detection.^[8]
G0016	APT29	APT29 used WMI to steal credentials and execute backdoors at a future time.^[9]
G0050	APT32	APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.^[10]
G0096	APT41	APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.^[11]^[12] APT41 has executed files through Windows Management Instrumentation (WMI).^[13]
G1044	APT42	APT42 has used Windows Management Instrumentation (WMI) to query anti-virus products.^[14]
G0143	Aquatic Panda	Aquatic Panda used WMI for lateral movement in victim environments.^[15]
S0373	Astaroth	Astaroth uses WMIC to execute payloads. ^[16]
S0640	Avaddon	Avaddon uses wmic.exe to delete shadow copies.^[17]
S1081	BADHATCH	BADHATCH can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.^[18]^[19]
S0534	Bazar	Bazar can execute a WMI query to gather information about the installed antivirus engine.^[20]^[21]
S1070	Black Basta	Black Basta has used WMI to execute files over the network.^[22]
G1043	BlackByte	BlackByte used WMI to delete Volume Shadow Copies on victim machines.^[23]
S1068	BlackCat	BlackCat can use `wmic.exe` to delete shadow copies on compromised networks.^[24]
S0089	BlackEnergy	A BlackEnergy 2 plug-in uses WMI to gather victim host details.^[25]
G0108	Blue Mockingbird	Blue Mockingbird has used wmic.exe to set environment variables.^[26]
S1063	Brute Ratel C4	Brute Ratel C4 can use WMI to move laterally.^[27]
S1039	Bumblebee	Bumblebee can use WMI to gather system information and to spawn processes for code injection.^[28]^[29]^[30]
C0015	C0015	During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host.^[31]
C0018	C0018	During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method.^[32]^[33]
C0027	C0027	During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.^[34]
S0674	CharmPower	CharmPower can use `wmic` to gather information from a system.^[35]
G0114	Chimera	Chimera has used WMIC to execute remote commands.^[36]^[37]
G1021	Cinnamon Tempest	Cinnamon Tempest has used Impacket for lateral movement via WMI.^[38]^[39]
S0154	Cobalt Strike	Cobalt Strike can use WMI to deliver a payload to a remote host.^[40]^[41]^[31]
S1155	Covenant	Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.^[42]
S0488	CrackMapExec	CrackMapExec can execute remote commands using Windows Management Instrumentation.^[43]
S1111	DarkGate	DarkGate has used WMI to execute files over the network and to obtain information about the domain.^[44]
S1066	DarkTortilla	DarkTortilla can use WMI queries to obtain system information.^[45]
S0673	DarkWatchman	DarkWatchman can use WMI to execute commands.^[46]
S0616	DEATHRANSOM	DEATHRANSOM has the ability to use WMI to delete volume shadow copies.^[47]
G0009	Deep Panda	The Deep Panda group is known to utilize WMI for lateral movement.^[48]
S0062	DustySky	The DustySky dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.^[49]
G1006	Earth Lusca	Earth Lusca used a VBA script to execute WMI.^[50]
S0605	EKANS	EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.^[51]
G1003	Ember Bear	Ember Bear has used WMI execution with password hashes for command execution and lateral movement.^[52]
S0367	Emotet	Emotet has used WMI to execute powershell.exe.^[53]
S0363	Empire	Empire can use WMI to deliver a payload to a remote host.^[54]
S0396	EvilBunny	EvilBunny has used WMI to gather information about the system.^[55]
S0568	EVILNUM	EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.^[56]
S0267	FELIXROOT	FELIXROOT uses WMI to query the Windows Registry.^[57]
G1016	FIN13	FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines.^[58]^[59]
G0037	FIN6	FIN6 has used WMI to automate the remote execution of PowerShell scripts.^[60]
G0046	FIN7	FIN7 has used WMI to install malware on targeted systems.^[61]
G0061	FIN8	FIN8's malicious spearphishing payloads use WMI to launch malware and spawn `cmd.exe` execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.^[62]^[63]^[64]^[65]
S0618	FIVEHANDS	FIVEHANDS can use WMI to delete files on a target machine.^[47]^[66]
S0381	FlawedAmmyy	FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.^[67]
C0001	Frankenstein	During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.^[68]
S1044	FunnyDream	FunnyDream can use WMI to open a Windows command shell on a remote machine.^[69]
C0007	FunnyDream	During FunnyDream, the threat actors used `wmiexec.vbs` to run remote commands.^[69]
G0093	GALLIUM	GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.^[70]
G0047	Gamaredon Group	Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.^[71]^[72]
S0237	GravityRAT	GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).^[73]
S0151	HALFBAKED	HALFBAKED can use WMI queries to gather system information.^[74]
S0617	HELLOKITTY	HELLOKITTY can use WMI to delete volume shadow copies.^[47]
S0698	HermeticWizard	HermeticWizard can use WMI to create a new process on a remote machine via `C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll`.^[75]
C0038	HomeLand Justice	During HomeLand Justice, threat actors used WMI to modify Windows Defender settings.^[76]
S0376	HOPLIGHT	HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.^[77]
S0483	IcedID	IcedID has used WMI to execute binaries.^[78]^[79]
S1152	IMAPLoader	IMAPLoader uses WMI queries to query system information on victim hosts.^[80]
S0357	Impacket	Impacket's `wmiexec` module can be used to execute commands through WMI.^[81]^[82]
G1032	INC Ransom	INC Ransom has used WMIC to deploy ransomware.^[83]^[84]^[85]
S1139	INC Ransomware	INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.^[84]^[86]
G0119	Indrik Spider	Indrik Spider has used WMIC to execute commands on remote computers.^[87]
S0283	jRAT	jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.^[88]
S0265	Kazuar	Kazuar obtains a list of running processes through WMI querying.^[89]
S0250	Koadic	Koadic can use WMI to execute commands.^[90]
S0156	KOMPROGO	KOMPROGO is capable of running WMI queries.^[91]
S1160	Latrodectus	Latrodectus has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.^[92]^[93]
G0032	Lazarus Group	Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.^[94]^[95]^[96]^[97]
G0065	Leviathan	Leviathan has used WMI for execution.^[98]
S1199	LockBit 2.0	LockBit 2.0 can use wmic.exe to delete volume shadow copies.^[99]
G0030	Lotus Blossom	Lotus Blossom has used WMI to enable lateral movement.^[100]
S0532	Lucifer	Lucifer can use WMI to log into remote machines for propagation.^[101]
S1141	LunarWeb	LunarWeb can use WMI queries for discovery on the victim host.^[102]
G0059	Magic Hound	Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery.^[103]
S0449	Maze	Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.^[104]^[105]
G0045	menuPass	menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.^[106]^[107]^[108]
S0688	Meteor	Meteor can use `wmic.exe` as part of its effort to delete shadow copies.^[109]
S0339	Micropsia	Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.^[110]^[111]
S0553	MoleNet	MoleNet can perform WMI commands on the system.^[112]
S0256	Mosquito	Mosquito's installer uses WMI to search for antivirus display names.^[113]
G0069	MuddyWater	MuddyWater has used malware that leveraged WMI for execution and querying host information.^[114]^[115]^[116]^[117]
G0129	Mustang Panda	Mustang Panda has executed PowerShell scripts via WMI.^[118]^[119]
G0019	Naikon	Naikon has used WMIC.exe for lateral movement.^[120]
S0457	Netwalker	Netwalker can use WMI to delete Shadow Volumes.^[121]
S0368	NotPetya	NotPetya can use `wmic` to help propagate itself across a network.^[122]^[123]
S0340	Octopus	Octopus has used wmic.exe for local discovery information.^[124]
G0049	OilRig	OilRig has used WMI for execution.^[125]^[126]
S0365	Olympic Destroyer	Olympic Destroyer uses WMI to help propagate itself across a network.^[127]
S0264	OopsIE	OopsIE uses WMI to perform discovery techniques.^[128]
C0022	Operation Dream Job	During Operation Dream Job, Lazarus Group used WMIC to executed a remote XSL script.^[129]
C0014	Operation Wocao	During Operation Wocao, threat actors has used WMI to execute commands.^[130]
S0378	PoshC2	PoshC2 has a number of modules that use WMI to execute tasks.^[131]
S0194	PowerSploit	PowerSploit's `Invoke-WmiCommand` CodeExecution module uses WMI to execute and retrieve the output from a PowerShell payload.^[132]^[133]
S0223	POWERSTATS	POWERSTATS can use WMI queries to retrieve data from compromised hosts.^[134]^[115]
S0184	POWRUNER	POWRUNER may use WMI when collecting information about a victim.^[135]
S0654	ProLock	ProLock can use WMIC to execute scripts on targeted hosts.^[136]
S1032	PyDCrypt	PyDCrypt has attempted to execute with WMIC.^[137]
S0650	QakBot	QakBot can execute WMI queries to gather information.^[138]
S1130	Raspberry Robin	Raspberry Robin can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.^[139]
S0241	RATANKBA	RATANKBA uses WMI to perform process monitoring.^[140]^[141]
S0375	Remexi	Remexi executes received commands with wmic.exe (for WMI commands). ^[142]
S0496	REvil	REvil can use WMI to monitor for and kill specific processes listed in its configuration file.^[143]^[144]
S0270	RogueRobin	RogueRobin uses various WMI queries to check if the sample is running in a sandbox.^[145]^[146]
G0034	Sandworm Team	Sandworm Team has used Impacket’s WMIexec module for remote code execution and VBScript to run WMI queries.^[5]^[147]
S1085	Sardonic	Sardonic can use WMI to execute PowerShell commands on a compromised machine.^[148]
S0546	SharpStage	SharpStage can use WMI for execution.^[112]^[149]
S1178	ShrinkLocker	ShrinkLocker uses WMI to query information about the victim operating system.^[150]
S0589	Sibot	Sibot has used WMI to discover network connections and configurations. Sibot has also used the Win32_Process class to execute a malicious DLL.^[151]
S0692	SILENTTRINITY	SILENTTRINITY can use WMI for lateral movement.^[152]
S1086	Snip3	Snip3 can query the WMI class `Win32_ComputerSystem` to gather information.^[153]
S1124	SocGholish	SocGholish has used WMI calls for script execution and system profiling.^[154]
C0024	SolarWinds Compromise	During the SolarWinds Compromise, APT29 used WMI for the remote execution of files for lateral movement.^[155]^[156]
G0038	Stealth Falcon	Stealth Falcon malware gathers system information via Windows Management Instrumentation (WMI).^[157]
S0380	StoneDrill	StoneDrill has used the WMI command-line (WMIC) utility to run tasks.^[158]
S0603	Stuxnet	Stuxnet used WMI with an `explorer.exe` token to execute on a remote share.^[159]
S0559	SUNBURST	SUNBURST used the WMI query `Select * From Win32_SystemDriver` to retrieve a driver listing.^[160]
S1064	SVCReady	SVCReady can use `WMI` queries to detect the presence of a virtual machine environment.^[161]
S0663	SysUpdate	SysUpdate can use WMI for execution on a compromised host.^[162]
G1018	TA2541	TA2541 has used WMI to query targeted systems for security products.^[163]
S1193	TAMECAT	TAMECAT has used Windows Management Instrumentation (WMI) to query anti-virus products.^[14]
G0027	Threat Group-3390	A Threat Group-3390 tool can use WMI to execute a binary.^[164]
G1022	ToddyCat	ToddyCat has used WMI to execute scripts for post exploit document collection.^[165]
S0386	Ursnif	Ursnif droppers have used WMI classes to execute PowerShell commands.^[166]
S0476	Valak	Valak can use `wmic process call create` in a scheduled task to launch plugins and for execution.^[167]
G1047	Velvet Ant	Velvet Ant used the `wmiexec.py` tool within Impacket for remote process execution via WMI.^[82]
G1017	Volt Typhoon	Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.^[168]^[169]^[170]^[171]
S0366	WannaCry	WannaCry utilizes `wmic` to delete shadow copies.^[172]^[173]^[174]
G0112	Windshift	Windshift has used WMI to collect information about target machines.^[175]
G0102	Wizard Spider	Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. Wizard Spider has also used batch scripts to leverage WMIC to deploy ransomware.^[176]^[177]^[178]^[179]^[180]
S0251	Zebrocy	One variant of Zebrocy uses WMI queries to gather information.^[181]

Mitigations

ID	Mitigation	Description
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. ^[182]
M1038	Execution Prevention	Use application control configured to block execution of `wmic.exe` if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the `wmic.exe` application and to prevent abuse.^[183]
M1026	Privileged Account Management	Prevent credential overlap across systems of administrator and privileged accounts. ^[184]
M1018	User Account Management	By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments for actions that are used to perform remote behavior. Analytic 1 - Look for wmic.exeexecution with arguments indicative of remote process creation. index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational\| eval CommandLine=coalesce(CommandLine, ParentCommandLine)\| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")\| search CommandLine IN ("process call create", "shadowcopy delete", "process start", "createobject")\| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip\| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine\| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="wmic shadowcopy delete" AND src_ip="trusted_ip_range")\| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message
DS0029	Network Traffic	Network Connection Creation	Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group `netsvcs`. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. After the WMI connection has been initialized, a process can be remotely launched using the command: `wmic /node:"" process call create ""`, which is detected in the third Detection Pseudocode. This leaves artifacts at both a network (RPC) and process (command line) level. When `wmic.exe` (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine. After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified. When the command line is executed, it has the parent process of `C:\windows\system32\wbem\WmiPrvSE.exe`. This analytic looks for these two events happening in sequence, so that the network connection and target process are output. Certain strings can be identifiers of the WMI by looking up the interface UUID for `IRemUnknown2` in different formats- UUID `00000143-0000-0000-c000-000000000046` (decoded)- Hex `43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46` (raw)- ASCII `CF` (printable text only) This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is- UUID `8a885d04-1ceb-11c9-9fe8-08002b104860` (decoded)- Hex `04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60` (raw)- ASCII `]+H`` (printable text only) Thus, a great ASCII based signature is- `CF]+HCFCFhost"` Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. Analytic 1 - Monitor for WMI over RPC (DCOM) connections. Look for the string RPCSS within the initial RPC connection on port 135/tcp. index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Microsoft-Windows-Security-Auditing\| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)\| search ProcessName IN ("wmic.exe", "powershell.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe", "wbemtool.exe")\| search CommandLine IN ("process call create", "win32_process", "win32_service", "shadowcopy delete", "network")\| search (sourcetype="WinEventLog:Security" EventCode=4688) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)\| join ProcessName [ search index=windows_logs sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3 \| eval DestinationIp = coalesce(DestinationIp, dest_ip)\| eval DestinationPort = coalesce(DestinationPort, dest_port)\| search DestinationPort IN (135, 5985, 5986) ]\| stats count by _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, dest, src_ip, dest_ip\| eval alert_message="Suspicious WMI Network Connection Detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine + " connecting to " + DestinationIp + ":" + DestinationPort\| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR (src_ip="trusted_ip_range" AND DestinationIp="trusted_ip_range"))\| table _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, src_ip, dest_ip, alert_message
DS0009	Process	Process Creation	Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility `wmic.exe` is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like `wmic.exe /node:"\<hostname>" process call create "\<command line>"`. It is possible to also connect via IP address, in which case the string `"\<hostname>"` would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell. Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node: Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:. `index=security sourcetype="WinEventLog:Security" (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) \| eval command_line = coalesce(CommandLine, ParentCommandLine) \| where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "Invoke-WmiMethod" OR command_line LIKE "Get-WmiObject" OR command_line LIKE "gwmi" OR command_line LIKE "win32_process")`
DS0005	WMI	WMI Creation	Monitor for newly constructed WMI objects that will execute malicious commands and payloads. Analytic 1 - WMI object creation events `index=security sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) \| eval CommandLine = coalesce(CommandLine, ParentCommandLine) \| where (EventCode=5861 AND (CommandLine LIKE "create" OR CommandLine LIKE "process")) OR (EventCode=5857 AND (CommandLine LIKE "exec" OR CommandLine LIKE "invoke")) OR (EventCode=5858 AND (CommandLine LIKE "payload" OR CommandLine LIKE "wmic"))`

References

Microsoft. (2023, March 7). Retrieved February 13, 2024.
Mandiant. (n.d.). Retrieved February 13, 2024.
Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.
Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.
Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024.
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
SecureAuth. (n.d.). Retrieved January 15, 2019.
Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.

Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.
Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.

Website Changelog

Cookie Preferences

HOME
ABOUT
AUCTIONS
SHIPPING
FEES
TOOLS
HOW
FAQ
CONTACT

Original Source | Taken Source