WMI attacks exploit the legitimate Windows Management Instrumentation (WMI) framework to perform malicious actions—often stealthily and without writing files to disk. Here’s a comprehensive breakdown:

🧠 What Is WMI?

Windows Management Instrumentation (WMI) is a built-in Windows feature that allows administrators and applications to query and manage system components. It’s used for:

• Gathering system information
• Executing commands
• Managing services and processes
• Automating administrative tasks

Because WMI is native and powerful, attackers love it too.

🧨 How Attackers Use WMI

🔹 Execution

• Run commands or malware without dropping files
• Example:

  Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "notepad.exe"
  

🔹 Persistence

• Create WMI event subscriptions that trigger malicious code on system events (e.g., login, reboot)
• These run as SYSTEM and are hard to detect

🔹 Lateral Movement

• Use WMI to execute commands on remote systems
• Example:

  wmic /node:RemotePC process call create "cmd.exe /c whoami"
  

🔹 Reconnaissance

• Query system info, AV status, network config, etc.
• Example:

  Get-WmiObject -Class Win32_OperatingSystem
  

🔹 Defense Evasion

• Fileless execution avoids traditional antivirus detection
• WMI activity blends in with legitimate admin tasks

🛡️ How to Defend Against WMI Attacks

• Monitor WMI activity: Use tools like Sysmon, Windows Event Logs, and EDR solutions
• Audit WMI subscriptions: Check for suspicious permanent event consumers
• Limit remote WMI access: Use firewall rules and access controls
• Use PowerShell logging: Enable script block and module logging
• Apply CIS Benchmarks: Harden WMI settings using CIS guidance

📚 Learn More

• MITRE ATT&CK Technique T1047 – WMI Abuse
• Cyber Triage’s WMI Malware Guide
• CIS Security Blog on WMI Defense