How to Defend Against Windows Management Instrumentation Attacks

The Windows Management Instrumentation (WMI) protocol – infrastructure on a Windows-based operating system – is used for management data and operations. It provides a uniform interface for local or remote applications or scripts to obtain management data from a computer system, network, or enterprise; the interface is designed so that WMI client applications and scripts do not have to call a wide variety of OS application programming interfaces (APIs).

Since its introduction, system administrators have used WMI to automate tasks and remotely manage systems in their environment. The same capabilities that attract administrators and developers to WMI also attract cyber threat actors (CTAs). CTAs often use WMI to deploy and execute various malware.

In response, the Center for Internet Security (CIS) has developed guidance, Commonly Exploited Protocols: Windows Management Instrumentation, to help enterprises mitigate these risks.

Common Windows Management Instrumentation Attacks

For attackers, there are some advantages to using WMI. Attackers often prefer to take easier and pre-existing vectors to conduct attacks, rather than creating specialized or unique tools. WMI is a native tool installed on all Windows-operated systems dating back to Windows 95 and NT 4.0. Another advantage for attackers is that WMI allows them a stealthier method of executing attacks. Many permanent events run as SYSTEM and payloads are written to the WMI repository as opposed to disk. Additionally, defenders can, generally, be unaware of WMI as a multi-purpose vector.

WMI is a powerful tool that attackers can use for various phases of the attack lifecycle. The native tool provides numerous objects, methods, and events that can be used for reconnaissance, detection of anti-virus (AV) or virtual machine (VM) products, code execution, lateral movement, covert data storage, and persistence without introducing a file to disk. Commonly Exploited Protocols: Windows Management Instrumentation uses the MITRE ATT&CK framework to identify how WMI can be used in an attack and introduces accompanying defensive approaches. While the list is not exhaustive, the guide provides recommendations that will defend against WMI attacks.

Securing WMI

Commonly Exploited Protocols: Windows Management Instrumentation leverages security best practices from the CIS Critical Security Controls (CIS Controls) and secure configuration recommendations from the CIS Benchmarks to help enterprises implement and secure the use of WMI.

The guide introduces several recommendations for securing WMI, many of which are low or no cost to an organization, and provides techniques and examples of how they can be executed for tactics included in the MITRE ATT&CK framework:

  • Reconnaissance
  • Discovery
  • Defense Evasion
  • Execution
  • Persistence
  • Lateral Movement
  • Command and Controls
  • Exfiltration

Additionally, the guide highlights which CIS Controls and/or CIS Benchmarks are capable of protecting against and detecting WMI-based attacks.

By implementing the recommendations provided in Commonly Exploited Protocols: Windows Management Instrumentation, enterprises can confidently strengthen their cybersecurity posture while protecting their assets.