Detect Windows Management Instrumentation in Sumo Logic CSE
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a built-in Windows administration framework that provides a uniform interface for accessing system components, processes, services, and hardware. Adversaries leverage WMI for local and remote command execution, process creation via Win32_Process, service manipulation, shadow copy deletion, and lateral movement via DCOM (port 135) or WinRM (port 5985/5986). The wmic.exe CLI tool has been widely abused but is deprecated in Windows 11+; modern attacks increasingly use PowerShell cmdlets (Invoke-WmiMethod, Get-CimInstance) and direct COM APIs. Real-world abusers include Emotet (WMI to launch PowerShell), SUNBURST (Win32_SystemDriver enumeration), INC Ransom (WMIC-based ransomware deployment), menuPass (wmiexec.vbs lateral movement), Gamaredon Group, and numerous ransomware families that delete shadow copies via wmic.exe.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1047 Windows Management Instrumentation
- Canonical reference
- https://attack.mitre.org/techniques/T1047/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR metadata_vendor=Microsoft)
| where metadata_deviceEventId = "1" OR metadata_deviceEventId = "Sysmon:1:ProcessCreate"
| toLower(baseImage) as proc_lower
| toLower(commandLine) as cmd_lower
| toLower(parentBaseImage) as parent_lower
| where (
(
proc_lower matches "*wmic.exe*" and (
cmd_lower matches "*process call create*" or
cmd_lower matches "*shadowcopy delete*" or
cmd_lower matches "*shadowcopy where*" or
cmd_lower matches "*/node:*" or
cmd_lower matches "*os get*" or
cmd_lower matches "*computersystem get*" or
cmd_lower matches "*service where*" or
cmd_lower matches "*nicconfig*" or
cmd_lower matches "*logicaldisk get*" or
cmd_lower matches "*useraccount get*"
)
) or
(
parent_lower matches "*wmiprvse.exe*" and
!(proc_lower matches "*wmiprvse.exe*") and
!(proc_lower matches "*msiexec.exe*") and
!(proc_lower matches "*svchost.exe*") and
!(proc_lower matches "*searchindexer.exe*") and
!(proc_lower matches "*werfault.exe*") and
!(proc_lower matches "*dllhost.exe*")
) or
(
(proc_lower matches "*powershell.exe*" or proc_lower matches "*pwsh.exe*") and
(
cmd_lower matches "*invoke-wmimethod*" or
cmd_lower matches "*get-wmiobject*" or
cmd_lower matches "*get-ciminstance*" or
cmd_lower matches "*[wmiclass]*" or
cmd_lower matches "*win32_process*" or
cmd_lower matches "*win32_shadowcopy*" or
cmd_lower matches "*win32_service*" or
cmd_lower matches "*wmiexec*"
) and
(
cmd_lower matches "*create*" or
cmd_lower matches "*startservice*" or
cmd_lower matches "*delete*" or
cmd_lower matches "*invoke*" or
cmd_lower matches "*exec*" or
cmd_lower matches "*callmethod*"
)
)
)
| if (cmd_lower matches "*/node:*", 1, 0) as WmicRemote
| if (cmd_lower matches "*shadowcopy delete*" or cmd_lower matches "*shadowcopy where*", 1, 0) as ShadowDelete
| if (cmd_lower matches "*process call create*", 1, 0) as ProcessCreate
| if (parent_lower matches "*wmiprvse.exe*", 1, 0) as WmiprvseChild
| if (
(proc_lower matches "*powershell.exe*" or proc_lower matches "*pwsh.exe*") and
(cmd_lower matches "*invoke-wmimethod*" or cmd_lower matches "*win32_process*" or cmd_lower matches "*wmiexec*"),
1, 0) as PSWmiExec
| (WmicRemote + ShadowDelete + ProcessCreate + WmiprvseChild + PSWmiExec) as SuspicionScore
| fields _messageTime, device_hostname, user_username, baseImage, commandLine, parentBaseImage, parentCommandLine, WmicRemote, ShadowDelete, ProcessCreate, WmiprvseChild, PSWmiExec, SuspicionScore
| sort by _messageTime descDetects abuse of Windows Management Instrumentation (T1047) using Sumo Logic CSE normalized process event fields. Three detection branches are evaluated: wmic.exe with reconnaissance or execution arguments (including remote /node: targeting and shadow copy deletion), WmiPrvSE.exe spawning non-allowlisted child processes indicating WMI-based code execution, and PowerShell cmdlets or class references (Win32_Process, Invoke-WmiMethod, wmiexec) performing destructive or execution-enabling operations. Computes a SuspicionScore for analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate system management tools such as SCCM, Puppet, or Chef that issue wmic.exe queries for asset inventory (logicaldisk get, os get, computersystem get) as part of scheduled discovery tasks.
- WmiPrvSE.exe spawning legitimate child processes from vendor-installed WMI providers for backup agents (Veeam, Commvault) or monitoring software during data collection jobs.
- Security operations teams running PowerShell-based WMI queries (Get-CimInstance, Get-WmiObject) for forensic investigation, threat hunting, or compliance auditing on managed endpoints.
Other platforms for T1047
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI Local Process Creation via wmic.exe
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'process call create calc.exe'. Second Sysmon Event ID 1: Process Create with Image=calc.exe and ParentImage=WmiPrvSE.exe (note: wmiprvse.exe, not wmic.exe, is the actual parent). Security Event ID 4688 (if command line auditing enabled) for both wmic.exe and calc.exe.
- Test 2Remote WMI Process Execution via PowerShell Invoke-WmiMethod
Expected signal: Sysmon Event ID 1: powershell.exe process creation with CommandLine containing 'Invoke-WmiMethod', 'Win32_Process', 'Create', and 'ComputerName'. Second Sysmon Event ID 1: cmd.exe with ParentImage=WmiPrvSE.exe (confirming WMI execution path). PowerShell ScriptBlock Log Event ID 4104 with full Invoke-WmiMethod call. Sysmon Event ID 3: network connection to 127.0.0.1 on port 135 (DCOM).
- Test 3WMI System Enumeration and Discovery
Expected signal: Four separate Sysmon Event ID 1 entries for wmic.exe, each with distinct CommandLine arguments (os get, process list, service where, nicconfig get). Security Event ID 4688 equivalents if audit policy enabled. No network events expected for local-only enumeration. Each invocation generates a process creation event with the full command line.
- Test 4WMI Shadow Copy Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'shadowcopy list brief'. Security Event ID 4688 equivalent with command line. No child processes created. No file system modification. The 'shadowcopy' keyword in the CommandLine is the detection trigger.
References (12)
- https://attack.mitre.org/techniques/T1047/
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.mandiant.com/resources/reports
- https://github.com/nccgroup/wmi-forensics
- https://www.secureworks.com/blog/wmi-persistence
- https://www.cybereason.com/blog/wmi-lateral-movement-win32-process
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1047 including response playbook, investigation guide, and atomic red team tests.