WMI (Windows Management Instrumentation) is abused by attackers for lateral movement, persistence (WMI subscriptions), reconnaissance, and fileless code execution — all appearing legitimate.
WMI provides deep system control — defenders and attackers both use it. Malicious WMI subscriptions trigger on specific events (logon, disk insert) providing persistent fileless execution. Monitor WMI activity (MOF files, unusual subscriptions).