T1047

Windows Management Instrumentation

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) suc...

Windows

Detections

Sources

Threat Actors

BY SOURCE

45sigma20splunk_escu19elastic1kql

PROCEDURES (46)

Wmi14 detections

Auto-extracted: 14 detections for wmi

Service4 detections

Auto-extracted: 4 detections for service

Child Process4 detections

Auto-extracted: 4 detections for child process

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Powershell3 detections

Auto-extracted: 3 detections for powershell

Bypass3 detections

Auto-extracted: 3 detections for bypass

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Script Block2 detections

Auto-extracted: 2 detections for script block

Registry2 detections

Auto-extracted: 2 detections for registry

Lateral2 detections

Auto-extracted: 2 detections for lateral

Privilege2 detections

Auto-extracted: 2 detections for privilege

Office2 detections

Auto-extracted: 2 detections for office

Dll Hijack2 detections

Auto-extracted: 2 detections for dll hijack

Shadow Cop2 detections

Auto-extracted: 2 detections for shadow cop

Script Block1 detections

Auto-extracted: 1 detections for script block

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Wmi1 detections

Auto-extracted: 1 detections for wmi

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Wmi1 detections

Auto-extracted: 1 detections for wmi

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Service1 detections

Auto-extracted: 1 detections for service

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Office1 detections

Auto-extracted: 1 detections for office

Bypass1 detections

Auto-extracted: 1 detections for bypass

Wmi1 detections

Auto-extracted: 1 detections for wmi

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Registry1 detections

Auto-extracted: 1 detections for registry

Powershell1 detections

Auto-extracted: 1 detections for powershell

Persist1 detections

Auto-extracted: 1 detections for persist

Evasion1 detections

Auto-extracted: 1 detections for evasion

Wmi1 detections

Auto-extracted: 1 detections for wmi

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Wmi1 detections

Auto-extracted: 1 detections for wmi

Windows Management Instrumentation

BY SOURCE

PROCEDURES (46)

THREAT ACTORS (39)

DETECTIONS (85)