title: Windows Management Instrumentation (T1047)
id: df00tech-t1047
status: experimental
description: "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a built-in Windows administration framework that provides a uniform interface for accessing system components, processes, services, and hardware. Adversaries leverage WMI for local and remote command execution, process creation via Win32_Process, service manipulation, shadow copy deletion, and lateral movement via DCOM (port 135) or WinRM (port 5985/5986). The wmic.exe CLI tool has been widely abused but is deprecated in Windows 11+; modern attacks increasingly use PowerShell cmdlets (Invoke-WmiMethod, Get-CimInstance) and direct COM APIs. Real-world abusers include Emotet (WMI to launch PowerShell), SUNBURST (Win32_SystemDriver enumeration), INC Ransom (WMIC-based ransomware deployment), menuPass (wmiexec.vbs lateral movement), Gamaredon Group, and numerous ransomware families that delete shadow copies via wmic.exe."
references:
  - https://attack.mitre.org/techniques/T1047/
  - https://df00tech.com/detections/T1047
author: df00tech
date: 2026/04/16
tags:
  - attack.t1047
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators using wmic.exe or PowerShell WMI cmdlets for legitimate remote management (asset inventory, service health checks, software deployment)"
  - "Backup agents and VSS-aware applications that enumerate or interact with shadow copies via WMI (e.g., Veeam, Acronis, Windows Server Backup)"
  - "Enterprise monitoring tools (SCCM, SCOM, SolarWinds, Tanium) that spawn processes via wmiprvse.exe during scheduled inventory collection or remediation tasks"
  - "Security scanners and vulnerability assessment tools (Tenable, Qualys, Rapid7) that use WMI to enumerate installed software, OS configuration, and services"
  - "IT automation scripts (Ansible over WinRM, custom PowerShell DSC configurations) that legitimately use Win32_Process or Win32_Service classes"
  - Windows Update and Windows Installer operations that trigger wmiprvse.exe child process spawning during patch installation
level: high