← Back to Explore
sigmalowTTP
Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
Detection Query
selection:
EventID: 4624
ProcessName|endswith: \WmiPrvSE.exe
condition: selection
Author
Thomas Patzke
Created
2019-12-04
Data Sources
windowssecurity
Platforms
windows
References
Tags
attack.executionattack.t1047
Raw Content
title: Successful Account Login Via WMI
id: 5af54681-df95-4c26-854f-2565e13cfab0
status: stable
description: Detects successful logon attempts performed with WMI
references:
- Internal Research
author: Thomas Patzke
date: 2019-12-04
modified: 2024-01-17
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
ProcessName|endswith: '\WmiPrvSE.exe'
condition: selection
falsepositives:
- Monitoring tools
- Legitimate system administration
level: low