Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
A successful WMI query requires local or domain administrator privileges, making this enumeration technique less common when compared to other techniques. Enumeration activity typically does not negatively affect network performance, but attackers can leverage this information to advance an attack campaign.
The system might change the risk score for this detection.
Kill Chain
Risk Score
38
Windows Management Instrumentation (WMI) is installed by default on Windows operating systems and enables administrators to remotely access services and collect management data from devices. An administrator can submit a query through WMI to retrieve WMI object data from remote devices. A WMI query shares a similar structure to SQL queries (where data is stored in tables with a row-column structure). An attacker with administrator privileges can submit a query to collect detailed system information about a target. For example, the WMI query SELECT * FROM AntiVirusProduct can identify antivirus software running on the target.
Block access to WMI or restrict access to authorized IP addresses in Windows firewall settings
Limit the number of administrator accounts that have WMI privileges
Separate credentials for administrators by the type of remote activity
Restrict access to specific WMI namespaces to only relative administrative user accounts
