Detect Windows Management Instrumentation in Microsoft Sentinel
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a built-in Windows administration framework that provides a uniform interface for accessing system components, processes, services, and hardware. Adversaries leverage WMI for local and remote command execution, process creation via Win32_Process, service manipulation, shadow copy deletion, and lateral movement via DCOM (port 135) or WinRM (port 5985/5986). The wmic.exe CLI tool has been widely abused but is deprecated in Windows 11+; modern attacks increasingly use PowerShell cmdlets (Invoke-WmiMethod, Get-CimInstance) and direct COM APIs. Real-world abusers include Emotet (WMI to launch PowerShell), SUNBURST (Win32_SystemDriver enumeration), INC Ransom (WMIC-based ransomware deployment), menuPass (wmiexec.vbs lateral movement), Gamaredon Group, and numerous ransomware families that delete shadow copies via wmic.exe.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1047 Windows Management Instrumentation
- Canonical reference
- https://attack.mitre.org/techniques/T1047/
KQL Detection Query
let SuspiciousWmicArgs = dynamic([
"process call create",
"shadowcopy delete",
"shadowcopy where",
"/node:",
"os get",
"computersystem get",
"service where",
"product get",
"nicconfig",
"logicaldisk get",
"startup list",
"useraccount get"
]);
let SuspiciousWmiPSPatterns = dynamic([
"Invoke-WmiMethod",
"Get-WmiObject",
"Get-CimInstance",
"[wmiclass]",
"[wmi]",
"Win32_Process",
"Win32_ShadowCopy",
"Win32_Service",
"wmiexec"
]);
// Branch 1: wmic.exe executing suspicious operations
let WmicSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has_any (SuspiciousWmicArgs)
| extend WmicRemote = ProcessCommandLine has "/node:"
| extend ShadowDelete = ProcessCommandLine has_any ("shadowcopy delete", "shadowcopy where")
| extend ProcessExec = ProcessCommandLine has "process call create"
| extend DetectionSource = "wmic_suspicious_args";
// Branch 2: wmiprvse.exe spawning unexpected child processes (WMI-based remote/local exec)
let WmiParentExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName !in~ ("WmiPrvSE.exe", "msiexec.exe", "svchost.exe", "SearchIndexer.exe", "WerFault.exe", "dllhost.exe")
| extend WmicRemote = false
| extend ShadowDelete = false
| extend ProcessExec = true
| extend DetectionSource = "wmiprvse_child_process";
// Branch 3: PowerShell using WMI for process creation or service manipulation
let PSWmiExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (SuspiciousWmiPSPatterns)
| where ProcessCommandLine has_any ("Create", "StartService", "Delete", "Invoke", "exec", "CallMethod")
| extend WmicRemote = ProcessCommandLine has_any ("-ComputerName", "/node:")
| extend ShadowDelete = ProcessCommandLine has "ShadowCopy"
| extend ProcessExec = ProcessCommandLine has_any ("Win32_Process", "Invoke-WmiMethod", "Invoke-CimMethod")
| extend DetectionSource = "powershell_wmi_exec";
union WmicSuspicious, WmiParentExec, PSWmiExec
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
WmicRemote, ShadowDelete, ProcessExec, DetectionSource
| sort by Timestamp descDetects Windows Management Instrumentation abuse across three distinct patterns using Microsoft Defender for Endpoint DeviceProcessEvents. Branch 1 identifies wmic.exe with suspicious arguments including process creation, shadow copy deletion, and remote /node: targeting. Branch 2 identifies processes spawned by wmiprvse.exe that fall outside expected system behaviors, indicating WMI-triggered remote or local code execution. Branch 3 identifies PowerShell leveraging WMI cmdlets for process or service manipulation. Results are unioned and enriched with indicator flags for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using wmic.exe or PowerShell WMI cmdlets for legitimate remote management (asset inventory, service health checks, software deployment)
- Backup agents and VSS-aware applications that enumerate or interact with shadow copies via WMI (e.g., Veeam, Acronis, Windows Server Backup)
- Enterprise monitoring tools (SCCM, SCOM, SolarWinds, Tanium) that spawn processes via wmiprvse.exe during scheduled inventory collection or remediation tasks
- Security scanners and vulnerability assessment tools (Tenable, Qualys, Rapid7) that use WMI to enumerate installed software, OS configuration, and services
- IT automation scripts (Ansible over WinRM, custom PowerShell DSC configurations) that legitimately use Win32_Process or Win32_Service classes
- Windows Update and Windows Installer operations that trigger wmiprvse.exe child process spawning during patch installation
Other platforms for T1047
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Local Process Creation via wmic.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create calc.exe'. Second Sysmon Event ID 1: Process Create with Image=calc.exe and ParentImage=WmiPrvSE.exe (note: wmiprvse.exe, not wmic.exe, is the actual parent). Security Event ID 4688 (if command line auditing enabled) for both wmic.exe and calc.exe.
- Test 2Remote WMI Process Execution via PowerShell Invoke-WmiMethod
Expected signal: Sysmon Event ID 1: powershell.exe process creation with CommandLine containing 'Invoke-WmiMethod', 'Win32_Process', 'Create', and 'ComputerName'. Second Sysmon Event ID 1: cmd.exe with ParentImage=WmiPrvSE.exe (confirming WMI execution path). PowerShell ScriptBlock Log Event ID 4104 with full Invoke-WmiMethod call. Sysmon Event ID 3: network connection to 127.0.0.1 on port 135 (DCOM).
- Test 3WMI System Enumeration and Discovery
Expected signal: Four separate Sysmon Event ID 1 entries for wmic.exe, each with distinct CommandLine arguments (os get, process list, service where, nicconfig get). Security Event ID 4688 equivalents if audit policy enabled. No network events expected for local-only enumeration. Each invocation generates a process creation event with the full command line.
- Test 4WMI Shadow Copy Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'shadowcopy list brief'. Security Event ID 4688 equivalent with command line. No child processes created. No file system modification. The 'shadowcopy' keyword in the CommandLine is the detection trigger.
References (12)
- https://attack.mitre.org/techniques/T1047/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.mandiant.com/resources/reports
- https://github.com/nccgroup/wmi-forensics
- https://www.secureworks.com/blog/wmi-persistence
- https://www.cybereason.com/blog/wmi-lateral-movement-win32-process
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1047 including response playbook, investigation guide, and atomic red team tests.