T1047 IBM QRadar · QRadar

Detect Windows Management Instrumentation in IBM QRadar

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a built-in Windows administration framework that provides a uniform interface for accessing system components, processes, services, and hardware. Adversaries leverage WMI for local and remote command execution, process creation via Win32_Process, service manipulation, shadow copy deletion, and lateral movement via DCOM (port 135) or WinRM (port 5985/5986). The wmic.exe CLI tool has been widely abused but is deprecated in Windows 11+; modern attacks increasingly use PowerShell cmdlets (Invoke-WmiMethod, Get-CimInstance) and direct COM APIs. Real-world abusers include Emotet (WMI to launch PowerShell), SUNBURST (Win32_SystemDriver enumeration), INC Ransom (WMIC-based ransomware deployment), menuPass (wmiexec.vbs lateral movement), Gamaredon Group, and numerous ransomware families that delete shadow copies via wmic.exe.

MITRE ATT&CK

Tactic
Execution
Technique
T1047 Windows Management Instrumentation
Canonical reference
https://attack.mitre.org/techniques/T1047/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "ParentCommandLine" AS ParentCommandLine,
  CASE
    WHEN LOWER("Image") LIKE '%wmic.exe%' THEN 1 ELSE 0
  END AS WmicSuspicious,
  CASE
    WHEN LOWER("CommandLine") LIKE '%/node:%' THEN 1 ELSE 0
  END AS WmicRemote,
  CASE
    WHEN LOWER("CommandLine") LIKE '%shadowcopy delete%'
      OR LOWER("CommandLine") LIKE '%shadowcopy where%' THEN 1 ELSE 0
  END AS ShadowDelete,
  CASE
    WHEN LOWER("ParentImage") LIKE '%wmiprvse.exe%'
      AND LOWER("Image") NOT LIKE '%wmiprvse.exe%'
      AND LOWER("Image") NOT LIKE '%msiexec.exe%'
      AND LOWER("Image") NOT LIKE '%svchost.exe%'
      AND LOWER("Image") NOT LIKE '%searchindexer.exe%'
      AND LOWER("Image") NOT LIKE '%werfault.exe%'
      AND LOWER("Image") NOT LIKE '%dllhost.exe%'
    THEN 1 ELSE 0
  END AS WmiprvseChild,
  CASE
    WHEN (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%')
      AND (
        LOWER("CommandLine") LIKE '%invoke-wmimethod%' OR
        LOWER("CommandLine") LIKE '%get-wmiobject%' OR
        LOWER("CommandLine") LIKE '%get-ciminstance%' OR
        LOWER("CommandLine") LIKE '%win32_process%' OR
        LOWER("CommandLine") LIKE '%win32_shadowcopy%' OR
        LOWER("CommandLine") LIKE '%wmiexec%'
      )
      AND (
        LOWER("CommandLine") LIKE '%create%' OR
        LOWER("CommandLine") LIKE '%invoke%' OR
        LOWER("CommandLine") LIKE '%exec%' OR
        LOWER("CommandLine") LIKE '%delete%'
      )
    THEN 1 ELSE 0
  END AS PSWmiExec
FROM events
WHERE
  LOGSOURCETYPEID IN (SELECT id FROM log_source_types WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%')
  AND QIDNAME(qid) LIKE '%Process Create%'
  AND (
    (
      LOWER("Image") LIKE '%wmic.exe%' AND (
        LOWER("CommandLine") LIKE '%process call create%' OR
        LOWER("CommandLine") LIKE '%shadowcopy delete%' OR
        LOWER("CommandLine") LIKE '%shadowcopy where%' OR
        LOWER("CommandLine") LIKE '%/node:%' OR
        LOWER("CommandLine") LIKE '%os get%' OR
        LOWER("CommandLine") LIKE '%computersystem get%' OR
        LOWER("CommandLine") LIKE '%nicconfig%' OR
        LOWER("CommandLine") LIKE '%logicaldisk get%' OR
        LOWER("CommandLine") LIKE '%useraccount get%'
      )
    ) OR (
      LOWER("ParentImage") LIKE '%wmiprvse.exe%' AND
      LOWER("Image") NOT LIKE '%wmiprvse.exe%' AND
      LOWER("Image") NOT LIKE '%msiexec.exe%' AND
      LOWER("Image") NOT LIKE '%svchost.exe%' AND
      LOWER("Image") NOT LIKE '%searchindexer.exe%' AND
      LOWER("Image") NOT LIKE '%werfault.exe%' AND
      LOWER("Image") NOT LIKE '%dllhost.exe%'
    ) OR (
      (LOWER("Image") LIKE '%powershell.exe%' OR LOWER("Image") LIKE '%pwsh.exe%') AND
      (
        LOWER("CommandLine") LIKE '%invoke-wmimethod%' OR
        LOWER("CommandLine") LIKE '%get-wmiobject%' OR
        LOWER("CommandLine") LIKE '%get-ciminstance%' OR
        LOWER("CommandLine") LIKE '%win32_process%' OR
        LOWER("CommandLine") LIKE '%win32_shadowcopy%' OR
        LOWER("CommandLine") LIKE '%wmiexec%'
      ) AND (
        LOWER("CommandLine") LIKE '%create%' OR
        LOWER("CommandLine") LIKE '%invoke%' OR
        LOWER("CommandLine") LIKE '%exec%' OR
        LOWER("CommandLine") LIKE '%delete%'
      )
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS
high severity high confidence

Detects WMI abuse (T1047) via Sysmon Process Create events ingested into QRadar. Covers three attack vectors: suspicious wmic.exe command-line arguments used for reconnaissance and remote execution, unexpected child process spawning from WmiPrvSE.exe indicating WMI-based lateral movement or local execution, and PowerShell invoking WMI classes (Win32_Process, Win32_ShadowCopy) for process creation or service manipulation. Computes per-event flags for analyst triage.

Data Sources

Microsoft Sysmon (Event ID 1)Windows Security Event Logs (Event ID 4688)IBM QRadar Windows DSM

Required Tables

events

False Positives & Tuning

  • Enterprise IT management platforms (SCCM, Ivanti, ManageEngine) performing scheduled WMI-based hardware and software inventory queries that use wmic.exe with os get, computersystem get, or logicaldisk get arguments.
  • Hypervisor guest agents and VMware Tools components that legitimately spawn from WmiPrvSE.exe during VM lifecycle events or guest customization workflows.
  • PowerShell administrative automation scripts operated by IT operations teams that use Get-WmiObject or Get-CimInstance for remote system health checks and patching workflows.
Download portable Sigma rule (.yml)

Other platforms for T1047

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI Local Process Creation via wmic.exe

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create calc.exe'. Second Sysmon Event ID 1: Process Create with Image=calc.exe and ParentImage=WmiPrvSE.exe (note: wmiprvse.exe, not wmic.exe, is the actual parent). Security Event ID 4688 (if command line auditing enabled) for both wmic.exe and calc.exe.

  2. Test 2Remote WMI Process Execution via PowerShell Invoke-WmiMethod

    Expected signal: Sysmon Event ID 1: powershell.exe process creation with CommandLine containing 'Invoke-WmiMethod', 'Win32_Process', 'Create', and 'ComputerName'. Second Sysmon Event ID 1: cmd.exe with ParentImage=WmiPrvSE.exe (confirming WMI execution path). PowerShell ScriptBlock Log Event ID 4104 with full Invoke-WmiMethod call. Sysmon Event ID 3: network connection to 127.0.0.1 on port 135 (DCOM).

  3. Test 3WMI System Enumeration and Discovery

    Expected signal: Four separate Sysmon Event ID 1 entries for wmic.exe, each with distinct CommandLine arguments (os get, process list, service where, nicconfig get). Security Event ID 4688 equivalents if audit policy enabled. No network events expected for local-only enumeration. Each invocation generates a process creation event with the full command line.

  4. Test 4WMI Shadow Copy Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'shadowcopy list brief'. Security Event ID 4688 equivalent with command line. No child processes created. No file system modification. The 'shadowcopy' keyword in the CommandLine is the detection trigger.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1047 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.003Distributed Component Object ModelT1021.006Windows Remote ManagementT1059.001PowerShellT1059.003Windows Command ShellT1546.003Windows Management Instrumentation Event SubscriptionT1490Inhibit System RecoveryT1087Account DiscoveryT1057Process DiscoveryT1007System Service DiscoveryT1105Ingress Tool Transfer

Same Tactic: Execution

Popular Detections