Purpose: To protect against WMI attacks on windows systems.

Description: Protect against WIndows Management Instrumentation (WMI) abuse on windows systems.

CDC Push Date:  
Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

The Edit Rapid Config page for the WMI Protection Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

WMI/WinRM Execution

Use this group to protect against attacks using Windows Management Instrumentation (WMI)

Windows Management Instrumentation is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access.

Note: FOR MORE INFORMATION: https://attack.mitre.org/wiki/Technique/T1047

The WMI/WinRM execution settings for the WMI Protection Rapid Config

*Report Or Block Wmiprvse And Wsmprovhost Launching Suspicious Applications:
Should execution of the specified applications by wmiprvse or wsmprovhost be reported or blocked? You should validate that legitimate behavior is not blocked before enabling blocking.
These child processes are common living-off-the-land binaries adversaries leverage to gain code execution or spread laterally via WMI/WinRM
*Applications To Report Or Block:
Carbon Black App Control will report or block execution of the specified applications by wmiprvse.exe or wsmprovhost.exe. You can add or remove files from this list. By default, the list includes:
  • calc.exe
  • cmd.exe
  • cscript.exe
  • msbuild.exe
  • mshta.exe
  • notepad.exe
  • powershell.exe
  • vssadmin.exe
  • wscript.exe
Processes/Command Lines Allowed To Be Run By Wmiprvse And Wsmprovhost:
Processes and command lines listed here will not be blocked.
*Report Or Block Processes Executing Wsmprovhost.Exe:
Should execution of wsmprovhost.exe be reported or blocked. Wsmprovhost is the process responsible for powershell remoting. You should validate that legitimate behavior is not blocked before enabling blocking.
Processes/Command Lines Allowed To Run Wsmprovhost.Exe:
Processes/command lines listed here will not be reported or blocked when they run wsmprovhost.exe. You can add or remove lines from this list. By default, the list includes:
  • <cmdline:*-k DcomLaunch*>svchost.exe
*Report Or Block Wmic.Exe When Started With The Specified Command Line:
Should execution of wmic.exe be reported or blocked when started with the potentially supcicious command line. The process call create command is often used for lateral movement/code execution. You should validate that legitimate behavior is not blocked before enabling blocking.
Wmic Command Line:
Carbon Black App Control will report or block execution of wmic.exe using the specified command line. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*process*call*create*>wmic.exe
Wmic Exception Command Line:
Command lines specified here will not be blocked. You can add or remove items from this list.
*Report Or Block Wmic.Exe Started With /Format On The Command Line If It Also Loads Vbscript.Dll Or Jscript.Dll:
Should execution of wmic.exe be reported or blocked when started with /format on the command line and wmic loads either vbscript.dll or jscript.dll.
This technique, discovered by security researcher Casey Smith, enables an adversary to execute code within XSL cripts either locally or from a URL bypassing application whitelisting
You should validate that legitimate behavior is not blocked before enabling blocking.
Wmic Command Line:
Carbon Black App Control will report or block execution of wmic.exe using the specified command line if it also loads vbscript.dll or jscript.dll. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*/format*>wmic.exe
Wmic /Format Exception Command Line:
Command lines specified here will not be blocked. You can add or remove items from this list.
*Report Or Block Remote Management Applications:
Should execution of the specified remote management applications be blocked? You should validate that legitimate behavior is not blocked before enabling blocking.
These binaries are used by adversaries to interact with WMI/winRM to spread laterally or execute code on local or remote systems.
*Remote Management Applications To Report Or Block:
Carbon Black App Control will report or block execution of the remote management applications. You can add or remove files from this list. By default, the list includes: 
  • WinRM.cmd
  • WinRS.exe
Processes Allowed To Run The Remote Management Applications:
The remote management applications will not be blocked when run by processes listed here.
*Report Or Block CScript.Exe Started With Winrm.Vbs On The Command Line:
Should execution of Cscript.exe using the specified command lines be blocked? You should validate that legitimate behavior is not blocked before enabling blocking.
This rule protects against execution of WinRM.cmd or WinRM.vbs with the invoke parameter, which can be leveraged to execute code on a remote system.
*CScript Command Lines To Report Or Block:
Carbon Black App Control will report or block execution of CScript.exe started with the specified command lines. You can add or remove files from this list. By default, the list includes:
  • <cmdline:*nologo*System32\winrm.vbs*i*>cscript.exe
CScript Exception Command Lines:
CScript Command lines specified here will not be reported or blocked.

WMI/WinRM Hardening

Use this group to provide miscellaneous rules for WMI hardening

The WMI/WinRM hardening settings for the WMI Protection Rapid Config

*Report Or Block Modification Of The Specified Powershell Registry Settings:
Should modification of the specified powershell registry entries be reported or blocked. You should validate that legitimate behavior is not blocked before enabling blocking.
This rule detects modifications to registry keys responsible for maintaining the state of WinRM, which can be leveraged to execute code on a remote system.
Registry Entries To Report Or Block:
Carbon Black App Control will report or block modification of the specified registry entries. You can add or remove items from this list. By default, the list includes:
  • HKLM\SOFTWARE\microsoft\windows\currentversion\wsman\updatedconfig
  • HKLM\SOFTWARE\policies\microsoft\windows\winrm\service\allowautoconfig
Processes Allowed To Modify The Specified Registry Entries:
Processes specified here will be allowed to modify the specified registry entries. You can add or remove items from this list.
*Report Or Block Wmic.Exe When Started With Shadowcopy Delete On Command Line:
Should execution of wmic.exe be reported or blocked when started with shadowcopy delete on the command line. You should validate that legitimate behavior is not blocked before enabling blocking.
Wmic Command Line:
Carbon Black App Control will report or block execution of wmic.exe using the specified command line. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*shadowcopy*delete*>wmic.exe
Wmic Exception Command Line:
Command lines specified here will not be blocked. You can add or remove items from this list.

WMI/WinRM Persistence

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

Note: FOR MORE INFORMATION: https://attack.mitre.org/wiki/Technique/T1084

The WMI/WinRM persistence settings for the WMI Protection Rapid Config

*Report Or Block Wmiprvse Modifying The Specified Files:
Should writing of the specified files by wmiprvse.exe be reported or blocked. You should validate that legitimate behavior is not blocked before enabling blocking.
This technique, discovered by Security Researchers Matt Hastings and Ryan Kazanciyan (with an honorary mention to Matt Graeber for his POC), enables an adversary to persist and move laterally within a network via Desired State Configuration, a Microsoft configuration management platform.
*Target Files To Report Or Block:
Carbon Black App Control will report or block modification of the specified files by WMIPrvse.exe. You can add or remove items from this list. By default, the list includes:
  • <system>\configuration\*
*Report Or Block Modification Of The Win32ClockProvider Registry Settings:
Should modification of the specified registry entries be reported or blocked. You should validate that legitimate behavior is not blocked before enabling blocking.
This rule protects against common WMI event filter persistence techniques leveraging a Win32_LocalTime trigger. This may or may not be suspicious, but it is uncommon for this registry key to be modified.
Registry Entries To Report Or Block:
Carbon Black App Control will report or block modification of the specified registry entries. You can add or remove items from this list. By default, the list includes:
  • HKLM\software\Microsoft\WBEM\ESS\//./root/CIMV2\Win32ClockProvider*
Processes Allowed To Modify The Specified Registry Entries:
Processes specified here will be allowed to modify the specified registry entries. You can add or remove items from this list.
*Report Or Block Modification Of The Specified Event Subscription Registry Settings:
Should modification of the specified Event Subscription registry entries be reported or blocked. You should validate that legitimate behavior is not blocked before enabling blocking.
This rule protects against other forms of WMI Event Subscription persistence techniques not covered by the Win32ClockProvider rule above. The SCM Event Provider exclusion is provided to reduce false positives.
Registry Entries To Report Or Block:
Carbon Black App Control will report or block modification of the specified registry entries. You can add or remove items from this list. By default, the list includes:
  • HKLM\software\Microsoft\WBEM\ESS\//./root/CIMV2*
Processes Allowed To Modify The Specified Registry Entries:
Processes specified here will be allowed to modify the specified registry entries. You can add or remove items from this list.
Registry Entries Allowed To Be Modified:
Modification of the registry entries specified here will be allowed. You can add or remove items from this list. By default, the list includes:
  • HKLM\software\Microsoft\WBEM\ESS\//./root/CIMV2\Win32ClockProvider*
  • HKLM\software\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider*