Windows Management Instrumentation T1047

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.

Events covered

20 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 108 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (39 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine56contains 40, regex_match 8, match 6, in 4, ends_with 2, eq 2, starts_with 2call, create, (?i)\s(os|logicaldisk|share|cpu|memorychip|useraccount|ni..., call , service
Image44ends_with 39, contains 3, wildcard 2, eq 1, starts_with 1\wmic.exe, \cmd.exe, \powershell.exe, \pwsh.exe, \certutil.exe
OriginalFileName38eq 38wmic.exe, powershell.exe, pwsh.dll, bitsadmin.exe, certoc.exe
process_name38eq 30, in 3, ends_with 2, match 2, regex_match 2wmic.exe, cmd.exe, certutil.exe, powershell.exe, pwsh.exe
EventID21eq 214688, 4104, 1, 10, 4103
parent_process_name20eq 14, in 2, match 2, regex_match 2, ends_with 1wmiprvse.exe, WmiPrvSE.exe, cmd.exe, (?i)(WmiPrvSE), (?i)(\x5cwbem\x5cwmiprvse\.exe)
event.type19eq 19start, change
process.args12eq 9, wildcard 3, contains 2, ends_with 1, starts_with 1create, delete, get, *-format*:*, *Reflection.Assembly*
ParentImage11ends_with 11, contains 1\wmiprvse.exe, \eqnedt32.exe, \excel.exe, \msaccess.exe, \explorer.exe
Type6eq 6
ScriptBlockText5contains 4, in 1 active_users , basic_info , change_user , win32_service , *invoke-cimmethod*
EventType3starts_with 2, eq 1Image loaded, start
TargetFilename3regex_match 2, ends_with 1\\windows\\__, \\windows\\__1\d{9}\.\d{1,7}$, \wbem\wbemcomn.dll, c:\\__1\d{9}\.\d{1,7}$, d:\\__1\d{9}\.\d{1,7}$
c_process3lt 325
Hashes2contains 2imphash=16a48c3cabf98a9dc1bf02c07fe1ea00, imphash=1b1a3f43bf37b5bfe60751f2ee2f326e, imphash=37777a96245a3c74eb217308f3546f4c

Top indicator values (696 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeq
wmic.exe
3361
OriginalFileNameeq
powershell.exe
5121
Imageends_with
\wmic.exe
2661
Imageends_with
\powershell.exe
6186
Imageends_with
\pwsh.exe
6172
Imageends_with
\cmd.exe
5134
Imageends_with
\cscript.exe
476
Imageends_with
\mshta.exe
469
Imageends_with
\msiexec.exe
425
Imageends_with
\regsvr32.exe
468
Imageends_with
\rundll32.exe
4103
Imageends_with
\wscript.exe
478
event.typeeq
start
18241
process_nameeq
wmic.exe
1444
process_nameeq
cmd.exe
775
process_nameeq
powershell.exe
599
process_nameeq
cscript.exe
422
process_nameeq
wscript.exe
426
EventIDeq
4688
9312
EventIDeq
4104
6268
EventIDeq
1
5232
CommandLinecontains
call
78
CommandLinecontains
create
523
CommandLinecontains
process
45
CommandLinecontains
cscript
315
CommandLinecontains
mshta
314
CommandLinecontains
regsvr32
315
CommandLinecontains
rundll32
326
ParentImageends_with
\wmiprvse.exe
58
parent_process_nameeq
wmiprvse.exe
511

Exclusions (116 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
5
CommandLinecontains
create
2
CommandLinecontains
install
1
CommandLinecontains
uninstall
1
CommandLinecontains
/i
1
CommandLinecontains
127.0.0.1
1
CommandLinecontains
://
1
CommandLinecontains
\\\\
1
CommandLinecontains
\\dismhost.exe
1
CommandLinecontains
c:\\windows\\ccm\\
1
CommandLinecontains
call
1
Imageends_with
\werfault.exe
2
Imageends_with
\wmiprvse.exe
2
process_namematch
(?i)(werfault|wmiprvse)\.exe
2
usercontains
authori|autori
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 51 rules

Elastic 20 rules

Splunk 35 rules

Kusto 1 rule

YARA-L 1 rule