T1047

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) suc...

Windows

Detections

Sources

Threat Actors

BY SOURCE

47sigma20splunk_escu19elastic1kql

PROCEDURES (46)

Wmi14 detections

Auto-extracted: 14 detections for wmi

Service4 detections

Auto-extracted: 4 detections for service

Child Process3 detections

Auto-extracted: 3 detections for child process

Remote2 detections

Auto-extracted: 2 detections for remote

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Wmi2 detections

Auto-extracted: 2 detections for wmi

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Registry2 detections

Auto-extracted: 2 detections for registry

Lateral2 detections

Auto-extracted: 2 detections for lateral

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Shadow Cop2 detections

Auto-extracted: 2 detections for shadow cop

Powershell2 detections

Auto-extracted: 2 detections for powershell

Bypass2 detections

Auto-extracted: 2 detections for bypass

Privilege2 detections

Auto-extracted: 2 detections for privilege

Wmi2 detections

Auto-extracted: 2 detections for wmi

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Dll Hijack2 detections

Auto-extracted: 2 detections for dll hijack

Office2 detections

Auto-extracted: 2 detections for office

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Remote1 detections

Auto-extracted: 1 detections for remote

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Remote1 detections

Auto-extracted: 1 detections for remote

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Evasion1 detections

Auto-extracted: 1 detections for evasion

Wmi1 detections

Auto-extracted: 1 detections for wmi

Bypass1 detections

Auto-extracted: 1 detections for bypass

Wmi1 detections

Auto-extracted: 1 detections for wmi

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Office1 detections

Auto-extracted: 1 detections for office

Wmi1 detections

Auto-extracted: 1 detections for wmi

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Powershell1 detections

Auto-extracted: 1 detections for powershell

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Wmi1 detections

Auto-extracted: 1 detections for wmi

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

Lateral1 detections

Auto-extracted: 1 detections for lateral

Powershell1 detections

Auto-extracted: 1 detections for powershell

Wmi1 detections

Auto-extracted: 1 detections for wmi

Remote1 detections

Auto-extracted: 1 detections for remote

Wmi1 detections

Auto-extracted: 1 detections for wmi

Windows Management Instrumentation

BY SOURCE

PROCEDURES (46)

THREAT ACTORS (42)

DETECTIONS (87)