CIS Controls Commonly Exploited Protocols Windows Management Instrumentation

This guide will focus on a commonly exploited protocol, Windows Management Instrumentation (WMI) Remote Protocol, and the Safeguards an enterprise can implement, in part or whole, to reduce their attack surface or detect anomalies associated with the exploitation of WMI. The goal is to deliver a set of best practices from the CIS Controls, CIS Benchmarks™, or additional guidance, that all enterprises can use to protect against WMI facilitated attacks.

This is accomplished by mapping WMI classes2 or events that CTAs can use to conduct attacks to the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK® Framework v8.2). Specifically, the guide focuses on identifying ATT&CK Tactics, the “why” behind a CTA’s actions, and the ATT&CK Techniques or ATT&CK Sub-Techniques within those Tactics.