From labs.bitdefender.com
The discovery of Stuxnet in 2010, followed by its in-depth analysis, uncovered several “industry firsts”, including hijacking of Windows Management Instrumentation (WMI) to enumerate users and spread to available network shares.
In the past decade, most of the malware features at least one technique to hijack WMI for persistence, discovery, lateral movement or defense evasion.
This whitepaper describes how WMI hijacking works and how it is used in several families of malware currently in existence.