T1047

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a built-in Windows administration framework that provides a uniform interface for accessing system components, processes, services, and hardware. Adversaries leverage WMI for local and remote command execution, process creation via Win32_Process, service manipulation, shadow copy deletion, and lateral movement via DCOM (port 135) or WinRM (port 5985/5986). The wmic.exe CLI tool has been widely abused but is deprecated in Windows 11+; modern attacks increasingly use PowerShell cmdlets (Invoke-WmiMethod, Get-CimInstance) and direct COM APIs. Real-world abusers include Emotet (WMI to launch PowerShell), SUNBURST (Win32_SystemDriver enumeration), INC Ransom (WMIC-based ransomware deployment), menuPass (wmiexec.vbs lateral movement), Gamaredon Group, and numerous ransomware families that delete shadow copies via wmic.exe.

Microsoft Sentinel / Defender

kusto

let SuspiciousWmicArgs = dynamic([
  "process call create",
  "shadowcopy delete",
  "shadowcopy where",
  "/node:",
  "os get",
  "computersystem get",
  "service where",
  "product get",
  "nicconfig",
  "logicaldisk get",
  "startup list",
  "useraccount get"
]);
let SuspiciousWmiPSPatterns = dynamic([
  "Invoke-WmiMethod",
  "Get-WmiObject",
  "Get-CimInstance",
  "[wmiclass]",
  "[wmi]",
  "Win32_Process",
  "Win32_ShadowCopy",
  "Win32_Service",
  "wmiexec"
]);
// Branch 1: wmic.exe executing suspicious operations
let WmicSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any (SuspiciousWmicArgs)
| extend WmicRemote = ProcessCommandLine has "/node:"
| extend ShadowDelete = ProcessCommandLine has_any ("shadowcopy delete", "shadowcopy where")
| extend ProcessExec = ProcessCommandLine has "process call create"
| extend DetectionSource = "wmic_suspicious_args";
// Branch 2: wmiprvse.exe spawning unexpected child processes (WMI-based remote/local exec)
let WmiParentExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName !in~ ("WmiPrvSE.exe", "msiexec.exe", "svchost.exe", "SearchIndexer.exe", "WerFault.exe", "dllhost.exe")
| extend WmicRemote = false
| extend ShadowDelete = false
| extend ProcessExec = true
| extend DetectionSource = "wmiprvse_child_process";
// Branch 3: PowerShell using WMI for process creation or service manipulation
let PSWmiExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (SuspiciousWmiPSPatterns)
| where ProcessCommandLine has_any ("Create", "StartService", "Delete", "Invoke", "exec", "CallMethod")
| extend WmicRemote = ProcessCommandLine has_any ("-ComputerName", "/node:")
| extend ShadowDelete = ProcessCommandLine has "ShadowCopy"
| extend ProcessExec = ProcessCommandLine has_any ("Win32_Process", "Invoke-WmiMethod", "Invoke-CimMethod")
| extend DetectionSource = "powershell_wmi_exec";
union WmicSuspicious, WmiParentExec, PSWmiExec
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         WmicRemote, ShadowDelete, ProcessExec, DetectionSource
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators using wmic.exe or PowerShell WMI cmdlets for legitimate remote management (asset inventory, service health checks, software deployment)
Backup agents and VSS-aware applications that enumerate or interact with shadow copies via WMI (e.g., Veeam, Acronis, Windows Server Backup)
Enterprise monitoring tools (SCCM, SCOM, SolarWinds, Tanium) that spawn processes via wmiprvse.exe during scheduled inventory collection or remediation tasks
Security scanners and vulnerability assessment tools (Tenable, Qualys, Rapid7) that use WMI to enumerate installed software, OS configuration, and services
IT automation scripts (Ansible over WinRM, custom PowerShell DSC configurations) that legitimately use Win32_Process or Win32_Service classes
Windows Update and Windows Installer operations that trigger wmiprvse.exe child process spawning during patch installation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine_lower=lower(CommandLine)
| eval Image_lower=lower(Image)
| eval ParentImage_lower=lower(ParentImage)
| eval WmicSuspiciousArgs=if(
    match(Image_lower, "wmic\.exe") AND
    match(CommandLine_lower, "(process\s+call\s+create|shadowcopy\s+(delete|where)|/node:|os\s+get|computersystem\s+get|service\s+where|nicconfig|logicaldisk\s+get|useraccount\s+get)"),
    1, 0)
| eval WmicRemote=if(match(CommandLine_lower, "/node:"), 1, 0)
| eval ShadowDelete=if(match(CommandLine_lower, "shadowcopy\s+(delete|where)"), 1, 0)
| eval ProcessCreate=if(match(CommandLine_lower, "process\s+call\s+create"), 1, 0)
| eval WmiprvseChild=if(
    match(ParentImage_lower, "wmiprvse\.exe") AND
    NOT match(Image_lower, "(wmiprvse|msiexec|svchost|searchindexer|werfault|dllhost)\.exe"),
    1, 0)
| eval PSWmiExec=if(
    match(Image_lower, "(powershell|pwsh)\.exe") AND
    match(CommandLine_lower, "(invoke-wmimethod|get-wmiobject|get-ciminstance|\[wmiclass\]|win32_process|win32_shadowcopy|win32_service|wmiexec)") AND
    match(CommandLine_lower, "(create|startservice|delete|invoke|exec|callmethod)"),
    1, 0)
| eval SuspicionScore=WmicSuspiciousArgs + WmicRemote + ShadowDelete + ProcessCreate + WmiprvseChild + PSWmiExec
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WmicSuspiciousArgs, WmicRemote, ShadowDelete, ProcessCreate, WmiprvseChild, PSWmiExec, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Enterprise monitoring and asset management platforms (SCCM, SCOM, Tanium) regularly spawn processes via wmiprvse.exe during scheduled inventory and remediation tasks
Backup software enumerating VSS/shadow copies via WMI as part of normal pre-backup operations
IT helpdesk automation using wmic /node: for remote computer management and diagnostics
Security compliance tools performing WMI-based configuration baseline assessments
Scripted software deployment that uses Win32_Process.Create() as an installation mechanism

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and event.type == "start" and
    process.name : "wmic.exe" and
    process.command_line : ("*process call create*", "*shadowcopy delete*", "*shadowcopy where*", "*/node:*", "*os get*", "*computersystem get*", "*service where*", "*nicconfig*", "*logicaldisk get*", "*startup list*", "*useraccount get*")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.parent.name : "WmiPrvSE.exe" and
    not process.name : ("WmiPrvSE.exe", "msiexec.exe", "svchost.exe", "SearchIndexer.exe", "WerFault.exe", "dllhost.exe")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*Invoke-WmiMethod*", "*Get-WmiObject*", "*Get-CimInstance*", "*[wmiclass]*", "*[wmi]*", "*Win32_Process*", "*Win32_ShadowCopy*", "*Win32_Service*", "*wmiexec*") and
    process.command_line : ("*Create*", "*StartService*", "*Delete*", "*Invoke*", "*exec*", "*CallMethod*")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Sysmon via Elastic Agent Windows Security Event Logs via Winlogbeat

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

SCCM, Ansible, or other IT automation platforms that use wmic.exe for legitimate hardware and software inventory collection (especially computersystem get, logicaldisk get, nicconfig).
Monitoring and observability agents (e.g., Datadog, Zabbix, SolarWinds) that spawn from or query WMI via wmiprvse.exe for system telemetry.
Software installation frameworks (InstallShield, Wise, custom MSI wrappers) that invoke WMI during install/uninstall phases, which may spawn unexpected children from WmiPrvSE.exe.
PowerShell-based administrative scripts used by IT operations to query system state or manage services remotely via Get-WmiObject or Get-CimInstance.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  CASE
    WHEN LOWER("Image") LIKE '%wmic.exe%' THEN 1 ELSE 0
  END AS WmicSuspicious,
  CASE
    WHEN LOWER("CommandLine") LIKE '%/node:%' THEN 1 ELSE 0
  END AS WmicRemote,
  CASE
    WHEN LOWER("CommandLine") LIKE '%shadowcopy delete%'
      OR LOWER("CommandLine") LIKE '%shadowcopy where%' THEN 1 ELSE 0
  END AS ShadowDelete,
  CASE
    WHEN LOWER("ParentImage") LIKE '%wmiprvse.exe%'
      AND LOWER("Image") NOT LIKE '%wmiprvse.exe%'
      AND LOWER("Image") NOT LIKE '%msiexec.exe%'
      AND LOWER("Image") NOT LIKE '%svchost.exe%'
      AND LOWER("Image") NOT LIKE '%searchindexer.exe%'
      AND LOWER("Image") NOT LIKE '%werfault.exe%'
      AND LOWER("Image") NOT LIKE '%dllhost.exe%'
    THEN 1 ELSE 0
  END AS WmiprvseChild,
  CASE
    WHEN (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
      AND (
        LOWER("CommandLine") LIKE '%invoke-wmimethod%' OR
        LOWER("CommandLine") LIKE '%get-wmiobject%' OR
        LOWER("CommandLine") LIKE '%get-ciminstance%' OR
        LOWER("CommandLine") LIKE '%win32_process%' OR
        LOWER("CommandLine") LIKE '%win32_shadowcopy%' OR
        LOWER("CommandLine") LIKE '%wmiexec%'
      )
      AND (
        LOWER("CommandLine") LIKE '%create%' OR
        LOWER("CommandLine") LIKE '%invoke%' OR
        LOWER("CommandLine") LIKE '%exec%' OR
        LOWER("CommandLine") LIKE '%delete%'
      )
    THEN 1 ELSE 0
  END AS PSWmiExec
FROM events
WHERE
  LOGSOURCETYPEID IN (SELECT id FROM log_source_types WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%')
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    (
      LOWER("Image") LIKE '%wmic.exe%' AND (
        LOWER("CommandLine") LIKE '%process call create%' OR
        LOWER("CommandLine") LIKE '%shadowcopy delete%' OR
        LOWER("CommandLine") LIKE '%shadowcopy where%' OR
        LOWER("CommandLine") LIKE '%/node:%' OR
        LOWER("CommandLine") LIKE '%os get%' OR
        LOWER("CommandLine") LIKE '%computersystem get%' OR
        LOWER("CommandLine") LIKE '%nicconfig%' OR
        LOWER("CommandLine") LIKE '%logicaldisk get%' OR
        LOWER("CommandLine") LIKE '%useraccount get%'
      )
    ) OR (
      LOWER("ParentImage") LIKE '%wmiprvse.exe%' AND
      LOWER("Image") NOT LIKE '%wmiprvse.exe%' AND
      LOWER("Image") NOT LIKE '%msiexec.exe%' AND
      LOWER("Image") NOT LIKE '%svchost.exe%' AND
      LOWER("Image") NOT LIKE '%searchindexer.exe%' AND
      LOWER("Image") NOT LIKE '%werfault.exe%' AND
      LOWER("Image") NOT LIKE '%dllhost.exe%'
    ) OR (
      (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%') AND
      (
        LOWER("CommandLine") LIKE '%invoke-wmimethod%' OR
        LOWER("CommandLine") LIKE '%get-wmiobject%' OR
        LOWER("CommandLine") LIKE '%get-ciminstance%' OR
        LOWER("CommandLine") LIKE '%win32_process%' OR
        LOWER("CommandLine") LIKE '%win32_shadowcopy%' OR
        LOWER("CommandLine") LIKE '%wmiexec%'
      ) AND (
        LOWER("CommandLine") LIKE '%create%' OR
        LOWER("CommandLine") LIKE '%invoke%' OR
        LOWER("CommandLine") LIKE '%exec%' OR
        LOWER("CommandLine") LIKE '%delete%'
      )
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Sysmon (Event ID 1) Windows Security Event Logs (Event ID 4688) IBM QRadar Windows DSM

Required Tables

events

False Positives

Enterprise IT management platforms (SCCM, Ivanti, ManageEngine) performing scheduled WMI-based hardware and software inventory queries that use wmic.exe with os get, computersystem get, or logicaldisk get arguments.
Hypervisor guest agents and VMware Tools components that legitimately spawn from WmiPrvSE.exe during VM lifecycle events or guest customization workflows.
PowerShell administrative automation scripts operated by IT operations teams that use Get-WmiObject or Get-CimInstance for remote system health checks and patching workflows.

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR metadata_vendor=Microsoft)
| where metadata_deviceEventId = "1" OR metadata_deviceEventId = "Sysmon:1:ProcessCreate"
| toLower(baseImage) as proc_lower
| toLower(commandLine) as cmd_lower
| toLower(parentBaseImage) as parent_lower
| where (
    (
      proc_lower matches "*wmic.exe*" and (
        cmd_lower matches "*process call create*" or
        cmd_lower matches "*shadowcopy delete*" or
        cmd_lower matches "*shadowcopy where*" or
        cmd_lower matches "*/node:*" or
        cmd_lower matches "*os get*" or
        cmd_lower matches "*computersystem get*" or
        cmd_lower matches "*service where*" or
        cmd_lower matches "*nicconfig*" or
        cmd_lower matches "*logicaldisk get*" or
        cmd_lower matches "*useraccount get*"
      )
    ) or
    (
      parent_lower matches "*wmiprvse.exe*" and
      !(proc_lower matches "*wmiprvse.exe*") and
      !(proc_lower matches "*msiexec.exe*") and
      !(proc_lower matches "*svchost.exe*") and
      !(proc_lower matches "*searchindexer.exe*") and
      !(proc_lower matches "*werfault.exe*") and
      !(proc_lower matches "*dllhost.exe*")
    ) or
    (
      (proc_lower matches "*powershell.exe*" or proc_lower matches "*pwsh.exe*") and
      (
        cmd_lower matches "*invoke-wmimethod*" or
        cmd_lower matches "*get-wmiobject*" or
        cmd_lower matches "*get-ciminstance*" or
        cmd_lower matches "*[wmiclass]*" or
        cmd_lower matches "*win32_process*" or
        cmd_lower matches "*win32_shadowcopy*" or
        cmd_lower matches "*win32_service*" or
        cmd_lower matches "*wmiexec*"
      ) and
      (
        cmd_lower matches "*create*" or
        cmd_lower matches "*startservice*" or
        cmd_lower matches "*delete*" or
        cmd_lower matches "*invoke*" or
        cmd_lower matches "*exec*" or
        cmd_lower matches "*callmethod*"
      )
    )
  )
| if (cmd_lower matches "*/node:*", 1, 0) as WmicRemote
| if (cmd_lower matches "*shadowcopy delete*" or cmd_lower matches "*shadowcopy where*", 1, 0) as ShadowDelete
| if (cmd_lower matches "*process call create*", 1, 0) as ProcessCreate
| if (parent_lower matches "*wmiprvse.exe*", 1, 0) as WmiprvseChild
| if (
    (proc_lower matches "*powershell.exe*" or proc_lower matches "*pwsh.exe*") and
    (cmd_lower matches "*invoke-wmimethod*" or cmd_lower matches "*win32_process*" or cmd_lower matches "*wmiexec*"),
    1, 0) as PSWmiExec
| (WmicRemote + ShadowDelete + ProcessCreate + WmiprvseChild + PSWmiExec) as SuspicionScore
| fields _messageTime, device_hostname, user_username, baseImage, commandLine, parentBaseImage, parentCommandLine, WmicRemote, ShadowDelete, ProcessCreate, WmiprvseChild, PSWmiExec, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic CSE Windows Sensor Sysmon Event ID 1 via Sumo Logic Installed Collector Windows Security Event ID 4688 via Sumo Logic

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate system management tools such as SCCM, Puppet, or Chef that issue wmic.exe queries for asset inventory (logicaldisk get, os get, computersystem get) as part of scheduled discovery tasks.
WmiPrvSE.exe spawning legitimate child processes from vendor-installed WMI providers for backup agents (Veeam, Commvault) or monitoring software during data collection jobs.
Security operations teams running PowerShell-based WMI queries (Get-CimInstance, Get-WmiObject) for forensic investigation, threat hunting, or compliance auditing on managed endpoints.

Google Chronicle / SecOps

yaral

rule wmi_abuse_t1047 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects WMI abuse via wmic.exe suspicious args, WmiPrvSE.exe spawning unexpected children, or PowerShell WMI class/cmdlet execution"
    technique = "T1047"
    tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1047/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        // Branch 1: wmic.exe with suspicious arguments
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(process\s+call\s+create|shadowcopy\s+(delete|where)|\/node:|os\s+get|computersystem\s+get|service\s+where|nicconfig|logicaldisk\s+get|startup\s+list|useraccount\s+get)`)
      ) or
      (
        // Branch 2: WmiPrvSE.exe spawning unexpected child processes
        re.regex($e.principal.process.file.full_path, `(?i)\\wmiprvse\.exe$`) and
        not re.regex($e.target.process.file.full_path,
          `(?i)\\(wmiprvse|msiexec|svchost|searchindexer|werfault|dllhost)\.exe$`)
      ) or
      (
        // Branch 3: PowerShell executing via WMI classes or cmdlets
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(invoke-wmimethod|get-wmiobject|get-ciminstance|\[wmiclass\]|\[wmi\]|win32_process|win32_shadowcopy|win32_service|wmiexec)`) and
        re.regex($e.target.process.command_line,
          `(?i)(create|startservice|delete|invoke|exec|callmethod)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry via Chronicle Forwarder Sysmon Event ID 1 normalized to UDM PROCESS_LAUNCH

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise endpoint management platforms (Tanium, BigFix, Altiris) that use wmic.exe for periodic hardware and OS inventory collection, generating computersystem get and logicaldisk get command lines that match reconnaissance argument patterns.
WmiPrvSE.exe spawning dllhost.exe variants or vendor-specific management processes during COM/DCOM object instantiation from legitimate WMI providers installed by backup, AV, or monitoring software.
DevOps automation (Ansible WinRM modules, PowerShell DSC) running Get-CimInstance or Invoke-WmiMethod in deployment pipelines with remote -ComputerName targeting that matches the remote execution pattern.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName =~ regex("(?i)wmic\\.exe$", field=ImageFileName)
  OR ParentBaseFileName =~ "wmiprvse.exe"
  OR ImageFileName =~ regex("(?i)(powershell|pwsh)\\.exe$", field=ImageFileName)
| eval WmicSuspicious = if(
    ImageFileName =~ regex("(?i)wmic\\.exe$") AND
    CommandLine =~ regex("(?i)(process\\s+call\\s+create|shadowcopy\\s+(delete|where)|\/node:|os\\s+get|computersystem\\s+get|service\\s+where|nicconfig|logicaldisk\\s+get|useraccount\\s+get)"),
    1, 0)
| eval WmicRemote = if(CommandLine =~ regex("\/node:"), 1, 0)
| eval ShadowDelete = if(CommandLine =~ regex("(?i)shadowcopy\\s+(delete|where)"), 1, 0)
| eval ProcessCreate = if(CommandLine =~ regex("(?i)process\\s+call\\s+create"), 1, 0)
| eval WmiprvseChild = if(
    ParentBaseFileName =~ regex("(?i)wmiprvse\\.exe$") AND
    NOT ImageFileName =~ regex("(?i)(wmiprvse|msiexec|svchost|searchindexer|werfault|dllhost)\\.exe$"),
    1, 0)
| eval PSWmiExec = if(
    ImageFileName =~ regex("(?i)(powershell|pwsh)\\.exe$") AND
    CommandLine =~ regex("(?i)(invoke-wmimethod|get-wmiobject|get-ciminstance|\\[wmiclass\\]|win32_process|win32_shadowcopy|win32_service|wmiexec)") AND
    CommandLine =~ regex("(?i)(create|startservice|delete|invoke|exec|callmethod)"),
    1, 0)
| eval SuspicionScore = WmicSuspicious + WmicRemote + ShadowDelete + ProcessCreate + WmiprvseChild + PSWmiExec
| where SuspicionScore > 0
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, WmicSuspicious, WmiprvseChild, PSWmiExec, WmicRemote, ShadowDelete, ProcessCreate, SuspicionScore]
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2) CrowdStrike Falcon Data Replicator Falcon LogScale (Humio)

Required Tables

ProcessRollup2

False Positives

IT management and RMM tools (ConnectWise Automate, NinjaRMM, Datto RMM) that use wmic.exe queries for device inventory and monitoring, generating patterns matching os get, computersystem get, and logicaldisk get argument signatures.
Hypervisor guest introspection agents (VMware Tools, Hyper-V Integration Services) that spawn as child processes of WmiPrvSE.exe during host-initiated WMI provider calls for VM state reporting.
Security products performing WMI-based live response or forensic data collection (CrowdStrike Real Time Response, Carbon Black, SentinelOne remote shell) that invoke WMI APIs from PowerShell for system enumeration during incident response workflows.

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1047 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Windows Management Instrumentation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections