detection.wiki

ATT&CK coverage › Technique

Windows Management Instrumentation T1047

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.

Events covered

14 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon7Image loaded
Sysmon10ProcessAccess
Sysmon11FileCreate
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Sysmon19WmiEvent (WmiEventFilter activity detected)
Sysmon20WmiEvent (WmiEventConsumer activity detected)
Sysmon21WmiEvent (WmiEventConsumerToFilter activity detected)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4688A new process has been created.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender1121Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Authoring guide

Patterns shared across the 48 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (15 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image35ends_with 32, match 2, eq 2\wmic.exe, \WMIC.exe, \rundll32.exe, \pwsh.exe, \powershell.exe
CommandLine28match 28call, process, create, uninstall, terminate
OriginalFileName25eq 25wmic.exe, PowerShell.EXE, pwsh.dll, HH.exe, WorkFolders.exe
ParentImage9ends_with 9\wmiprvse.exe, \EXCEL.EXE, \MSACCESS.EXE, \MSPUB.exe, \mmc.exe
ScriptBlockText5match 2, eq 2, in 1PathName, Win32_Service , StartMode, command_exec , gen_cli
EventID4eq 44104, 10
Hashes2match 2IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00, IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E, IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
process_name2ends_with 2\wmiprvse.exe, \psexesvc.exe, \WmiPrvSE.exe
user2ends_with 1, match 1$, AUTORI, AUTHORI
TargetFilename2regex_match 1, ends_with 1C:\\__1\d{9}\.\d{1,7}$, \\Windows\\__1\d{9}\.\d{1,7}$, D:\\__1\d{9}\.\d{1,7}$, \wbem\wbemcomn.dll
ParentCommandLine1match 1taskeng.exe, svchost.exe -k netsvcs
RelativeTargetName1ends_with 1\wbem\wbemcomn.dll
LogonId1is_null 1, eq 10x3e7, null
ImageLoaded1ends_with 1\wbem\wbemcomn.dll
GrantedAccess1in 1"0x1478", "0x1fffff"

Top indicator values (305 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
OriginalFileNameeqwmic.exe2333
Imageends_with\wmic.exe1337
Imageends_with\WMIC.exe1012
CommandLinematchcall67
Imageends_with\pwsh.exe5140
Imageends_with\powershell.exe5143
Imageends_with\msiexec.exe421
Imageends_with\cscript.exe464
Imageends_with\wscript.exe464
Imageends_with\regsvr32.exe457
Imageends_with\rundll32.exe476
Imageends_with\cmd.exe392
Imageends_with\schtasks.exe345
CommandLinematchcreate38
CommandLinematchprocess33
OriginalFileNameeqPowerShell.EXE364
Imageends_with\mshta.exe357
CommandLinematchcscript312
CommandLinematchrundll32319
CommandLinematchwscript312

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 43 rules

Splunk 4 rules

Kusto Query Language 1 rule