suspicious_wmi_use.yml

name: Suspicious WMI Use
id: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5
version: 2
date: '2018-10-23'
author: Rico Valdez, Splunk
description: Attackers are increasingly abusing Windows Management Instrumentation
  (WMI), a framework and associated utilities available on all modern Windows operating
  systems. Because WMI can be leveraged to manage both local and remote systems, it
  is important to identify the processes executed and the user context within which
  the activity occurred.
narrative: 'WMI is a Microsoft infrastructure for management data and operations on
  Windows operating systems. It includes of a set of utilities that can be leveraged
  to manage both local and remote Windows systems. Attackers are increasingly turning
  to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance,
  detection of antivirus and virtual machines, code execution, lateral movement, persistence,
  and data exfiltration. 
  The detection searches included in this Analytic Story are used to look for suspicious
  use of WMI commands that attackers may leverage to interact with remote systems.
  The searches specifically look for the use of WMI to run processes on remote systems.
  In the event that unauthorized WMI execution occurs, it will be important for analysts
  and investigators to determine the context of the event. These details may provide
  insights related to how WMI was used and to what end.'
references:
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
tags:
  analytic_story: Suspicious WMI Use
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection