Block Windows Management Instrumentation (WMI) Service (CM0013)

In Playbook

Details

  • ID: CM0013
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Disable
  • Status: Active

Intended Outcome

Blocking the Windows Management Instrumentation (WMI) service blocks adversary discovery, persistence, and lateral movement using WMI.

Introduction

WMI is the infrastructure for management data and operations on Windows-based operating systems. WMI may be used for incident response. For example, the opensource incident response tool CimSweep relies on CIM/WMI to perform incident response and hunting operations on Windows. By blocking endpoint access via WMI, adversaries will have one less means of moving laterally and execute payloads across the environment.

Preparation

  • Determine the scope of the impact that blocking WMI would have on operations and prepare contingency plan should unintended disruption occur.

Risks

  • This countermeasure may block legitimate activity.
  • Blocking WMI may prevent administrators from taking necessary actions, such as performing automated software updates, and may prevent hunting and IR tools from operating.
  • Consider the impact on the enterprise environment and the incident response before blocking WMI.

Guidance

  • WMI should be blocked to inhibit communication from workstation to workstation and blocked between workstations and non-Domain Controllers and File Servers.
  • The Group Management Console can be used to create a GPO to block WMI remote use. This can be achieved by configuring Windows Firewall to restrict inbound communications for WMI or by assigning a static DCOM port for WMI and blocking it (the default static port in this case is TCP 24158).

References

  • ID: CM0013
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Disable