Description
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.
The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model and Windows Remote Management.(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)
An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as Execution of commands and payloads.(Citation: Mandiant WMI) For example, wmic.exe can be abused by an adversary to delete shadow copies with the command wmic.exe Shadowcopy Delete (i.e., Inhibit System Recovery).(Citation: WMI 6)
Note: wmic.exe is deprecated as of January of 2024, with the WMIC feature being “disabled by default” on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by PowerShell as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like wbemtool.exe, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. (Citation: win10_asr)
User Account ManagementM1018
By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.
Execution PreventionM1038
Use application control configured to block execution of wmic.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the wmic.exe application and to prevent abuse.(Citation: Microsoft WD
Threat Groups (42)
| ID | Group | Context |
|---|---|---|
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used [Impacket](https://attack.mitre.org/software/S0357) for lateral movement via WMI.(C... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized Windows Management Instrumentation to query system information.(Citation: Palo Alto... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used WMIC to deploy ransomware.(Citation: Cybereason INC Ransomware November 2023)(Citation: H... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used WMI to execute scripts used for discovery and for determining the C2 IP address.(Cit... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used WMI to deploy their tools on remote machines and to gather information about the Outlook process.(... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has executed PowerShell scripts via WMI.(Citation: Anomali MUSTANG PANDA October 2019)(Citation... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware that leveraged WMI for execution and querying host information.(Citation: Securel... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery and to move laterally. [Wizard Spider](http... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized WMIC to log into the victim host and create a process `process call create “cmd.e... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used WMI for execution.(Citation: Proofpoint Leviathan Oct 2017) |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) used the `wmiexec.py` tool within [Impacket](https://attack.mitre.org/software/S0357) for remote p... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has used WMI to execute PowerShell.(Citation: Zscaler BlindEagle DEC 2025) |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used WMI to install malware on targeted systems.(Citation: eSentire FIN7 July 2021) |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used WMI for execution to assist in lateral movement as well as for installing tools across multiple ... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has leveraged WMIC for execution, remote system discovery, and to create and use temporary direc... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used wmic.exe to set environment variables.(Citation: RedCanary Mockingbird May 2020) |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used WMIC.exe for lateral movement.(Citation: Bitdefender Naikon April 2021) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used WMIC for discovery as well as to execute payloads for persistence and lateral movement... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used WMI to enable lateral movement.(Citation: Cisco LotusBlossom 2025) |
Associated Software (93)
| ID | Name | Type | Context |
|---|---|---|---|
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) can use WMI to execute PowerShell commands on a compromised machine.(Citation: Bitdefender Sardoni... |
| S0688 | Meteor | Malware | [Meteor](https://attack.mitre.org/software/S0688) can use `wmic.exe` as part of its effort to delete shadow copies.(Citation: Check Point Meteor Aug 2... |
| S0270 | RogueRobin | Malware | [RogueRobin](https://attack.mitre.org/software/S0270) uses various WMI queries to check if the sample is running in a sandbox.(Citation: Unit 42 DarkH... |
| S9035 | LAMEHUG | Malware | [LAMEHUG](https://attack.mitre.org/software/S9035) can use wmic to collect system information.(Citation: Splunk LAMEHUG SEP 2025) |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) used the WMI query <code>Select * From Win32_SystemDriver</code> to retrieve a driver listing.(Cit... |
| S0089 | BlackEnergy | Malware | A [BlackEnergy](https://attack.mitre.org/software/S0089) 2 plug-in uses WMI to gather victim host details.(Citation: Securelist BlackEnergy Feb 2015) |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) can use WMI to open a Windows command shell on a remote machine.(Citation: Bitdefender FunnyDrea... |
| S0283 | jRAT | Malware | [jRAT](https://attack.mitre.org/software/S0283) uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall det... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has used WMI to execute powershell.exe.(Citation: Carbon Black Emotet Apr 2019) |
| S9031 | AshTag | Malware | [AshTag](https://attack.mitre.org/software/S9031) can use a .NET program to execute WMI queries and send unique victim IDs to C2.(Citation: Palo Alto... |
| S0618 | FIVEHANDS | Malware | [FIVEHANDS](https://attack.mitre.org/software/S0618) can use WMI to delete files on a target machine.(Citation: FireEye FiveHands April 2021)(Citatio... |
| S0251 | Zebrocy | Malware | One variant of [Zebrocy](https://attack.mitre.org/software/S0251) uses WMI queries to gather information.(Citation: Unit42 Sofacy Dec 2018) |
| S0256 | Mosquito | Malware | [Mosquito](https://attack.mitre.org/software/S0256)'s installer uses WMI to search for antivirus display names.(Citation: ESET Turla Mosquito Jan 2018... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has used wmi queries to gather information from the system.(Citation: Bitdefender Agent Tesla A... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) has a number of modules that use WMI to execute tasks.(Citation: GitHub PoshC2) |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use WMI to gather system information and to spawn processes for code injection.(Citation: Goo... |
| S1028 | Action RAT | Malware | [Action RAT](https://attack.mitre.org/software/S1028) can use WMI to gather AV products installed on an infected host.(Citation: MalwareBytes SideCopy... |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) can utilize WMI to install new Grunt listeners through XSL files or command one-liners.(Citation: ... |
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has used WMI to gather information about the system.(Citation: Cyphort EvilBunny Dec 2014) |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) used WMI with an <code>explorer.exe</code> token to execute on a remote share.(Citation: Nicolas Fa... |
References
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Mandiant. (n.d.). Retrieved February 13, 2024.
- Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.
- Microsoft. (2023, March 7). Retrieved February 13, 2024.
- Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.
Frequently Asked Questions
What is T1047 (Windows Management Instrumentation)?
T1047 is a MITRE ATT&CK technique named 'Windows Management Instrumentation'. It belongs to the Execution tactic(s). Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations...
How can T1047 be detected?
Detection of T1047 (Windows Management Instrumentation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1047?
There are 4 documented mitigations for T1047. Key mitigations include: Privileged Account Management, Behavior Prevention on Endpoint, User Account Management, Execution Prevention.
Which threat groups use T1047?
Known threat groups using T1047 include: Cinnamon Tempest, Medusa Group, menuPass, INC Ransom, Gamaredon Group, APT32, Mustang Panda, MuddyWater.