Windows Management Instrumentation (T1047)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Windows Management Instrumentation

Associated Tactics

  • Execution

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. FireEye WMI 2015
Mandiant. (n.d.). Retrieved February 13, 2024. Mandiant WMI
Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024. WMI 6
Microsoft. (2023, March 7). Retrieved February 13, 2024. WMI 1-3
Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024. WMI 7,8