x
URGENT MESSAGE: Log4j Zero-Day Vulnerability Response| Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

How to Defend Against Windows Management Instrumentation Attacks

The Windows Management Instrumentation (WMI) protocol – infrastructure on a Windows-based operating system – is used for management data and operations. It provides a uniform interface for local or remote applications or scripts to obtain management data from a computer system, network, or enterprise; the interface is designed so that WMI client applications and scripts do not have to call a wide variety of OS application programming interfaces (APIs).

Since its introduction, system administrators have used WMI to automate tasks and remotely manage systems in their environment. The same capabilities that attract administrators and developers to WMI also attract cyber threat actors (CTAs). CTAs often use WMI to deploy and execute various malware.

In response, the Center for Internet Security (CIS) has developed guidance, Commonly Exploited Protocols: Windows Management Instrumentation, to help enterprises mitigate these risks.

Common Windows Management Instrumentation Attacks

For attackers, there are some advantages to using WMI. Attackers often prefer to take easier and pre-existing vectors to conduct attacks, rather than creating specialized or unique tools. WMI is a native tool installed on all Windows-operated systems dating back to Windows 95 and NT 4.0. Another advantage for attackers is that WMI allows them a stealthier method of executing attacks. Many permanent events run as SYSTEM and payloads are written to the WMI repository as opposed to disk. Additionally, defenders can, generally, be unaware of WMI as a multi-purpose vector.

WMI is a powerful tool that attackers can use for various phases of the attack lifecycle. The native tool provides numerous objects, methods, and events that can be used for reconnaissance, detection of anti-virus (AV) or virtual machine (VM) products, code execution, lateral movement, covert data storage, and persistence without introducing a file to disk. Commonly Exploited Protocols: Windows Management Instrumentation uses the MITRE ATT&CK framework to identify how WMI can be used in an attack and introduces accompanying defensive approaches. While the list is not exhaustive, the guide provides recommendations that will defend against WMI attacks.

Securing WMI

Commonly Exploited Protocols: Windows Management Instrumentation leverages security best practices from the CIS Critical Security Controls (CIS Controls) and secure configuration recommendations from the CIS Benchmarks to help enterprises implement and secure the use of WMI.

The guide introduces several recommendations for securing WMI, many of which are low or no cost to an organization, and provides techniques and examples of how they can be executed for tactics included in the MITRE ATT&CK framework:

  • Reconnaissance
  • Discovery
  • Defense Evasion
  • Execution
  • Persistence
  • Lateral Movement
  • Command and Controls
  • Exfiltration

Additionally, the guide highlights which CIS Controls and/or CIS Benchmarks are capable of protecting against and detecting WMI-based attacks.

By implementing the recommendations provided in Commonly Exploited Protocols: Windows Management Instrumentation, enterprises can confidently strengthen their cybersecurity posture while protecting their assets.