Description
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user login, or the computer's uptime.(Citation: Mandiant M-Trends 2015)
Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.(Citation: FireEye WMI SANS 2015)(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts – using mofcomp.exe –into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription.(Citation: Dell WMI Persistence)(Citation: Microsoft MOF May 2018)
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.
Platforms
Mitigations (3)
User Account ManagementM1018
By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI.
Privileged Account ManagementM1026
Prevent credential overlap across systems of administrator and privileged accounts.(Citation: FireEye WMI 2015)
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent malware from abusing WMI to attain persistence.(Citation: win10_asr)
Threat Groups (10)
| ID | Group | Context |
|---|---|---|
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured f... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used WMI event subscriptions for persistence.(Citation: Mandiant No Easy Breach) |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used WMI event subscriptions for persistence.(Citation: Kaspersky Lyceum October 2021) |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021) |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used WMI for persistence.(Citation: FireEye Periscope March 2018) |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used WMI event filters and consumers to establish persistence.(Citation: ESET Turla PowerShell May ... |
| G1013 | Metador | [Metador](https://attack.mitre.org/groups/G1013) has established persistence through the use of a WMI event subscription combined with unusual living-... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: M... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129)'s custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRO... |
| G0075 | Rancor | [Rancor](https://attack.mitre.org/groups/G0075) has complied VBScript-generated MOF files into WMI event subscriptions for persistence.(Citation: Ranc... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) can use a WMI event filter to invoke a command-line event consumer to gain persistence.(Citation: ... |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) registered a WMI event subscription consumer called "hard_disk_stat" to establish persistence.(Cit... |
| S0511 | RegDuke | Malware | [RegDuke](https://attack.mitre.org/software/S0511) can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can create a WMI Event to execute a payload for persistence.(Citation: GitHub SILENTTRINITY M... |
| S0376 | HOPLIGHT | Malware | [HOPLIGHT](https://attack.mitre.org/software/S0376) can use WMI event subscriptions to create persistence.(Citation: US-CERT HOPLIGHT Apr 2019) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can use WMI event subscriptions for persistence.(Citation: BitDefender BADHATCH Mar 2021) |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can compile randomly-generated MOF files into the WMI repository to persistently run malware.(Citatio... |
| S0202 | adbupd | Malware | [adbupd](https://attack.mitre.org/software/S0202) can use a WMI script to achieve persistence.(Citation: Microsoft PLATINUM April 2016) |
| S0053 | SeaDuke | Malware | [SeaDuke](https://attack.mitre.org/software/S0053) uses an event filter in WMI code to execute a previously dropped executable shortly after system st... |
| S0150 | POSHSPY | Malware | [POSHSPY](https://attack.mitre.org/software/S0150) uses a WMI event subscription to establish persistence.(Citation: FireEye POSHSPY April 2017) |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) has the ability to persist on a system using WMI events.(Citation: GitHub PoshC2) |
| S0682 | TrailBlazer | Malware | [TrailBlazer](https://attack.mitre.org/software/S0682) has the ability to use WMI for persistence.(Citation: CrowdStrike StellarParticle January 2022) |
| S0371 | POWERTON | Malware | [POWERTON](https://attack.mitre.org/software/S0371) can use WMI for persistence.(Citation: FireEye APT33 Guardrail) |
References
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.
- Devon Kerr. (2015). There's Something About WMI. Retrieved November 17, 2024.
- French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.
- French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020.
- Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved November 17, 2024.
- Microsoft. (n.d.). Retrieved January 24, 2020.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
- Satran, M. (2018, May 30). Managed Object Format (MOF). Retrieved January 24, 2020.
Frequently Asked Questions
What is T1546.003 (Windows Management Instrumentation Event Subscription)?
T1546.003 is a MITRE ATT&CK technique named 'Windows Management Instrumentation Event Subscription'. It belongs to the Privilege Escalation, Persistence tactic(s). Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event...
How can T1546.003 be detected?
Detection of T1546.003 (Windows Management Instrumentation Event Subscription) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1546.003?
There are 3 documented mitigations for T1546.003. Key mitigations include: User Account Management, Privileged Account Management, Behavior Prevention on Endpoint.
Which threat groups use T1546.003?
Known threat groups using T1546.003 include: Blue Mockingbird, APT29, HEXANE, FIN8, Leviathan, Turla, Metador, APT33.