DET0364 Behavioral Detection Strategy for WMI Execution Abuse on Windows

Item	Value
ID	DET0364
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1047 (Windows Management Instrumentation)

Analytics

Windows

AN1031

Detects adversarial abuse of WMI to execute local or remote commands via WMIC, PowerShell, or COM API through a multi-event chain: process creation, command execution, and corresponding network connection if remote.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
WMI Creation (DC0008)	WinEventLog:WMI	EventCode=5857, 5858, 5860, 5861

Mutable Elements

Field	Description
WMIQueryScope	Restrict detection scope to suspicious WMI namespaces like `\root\cimv2`, `\root\subscription`.
TimeWindow	Set maximum allowable time window to correlate WMI process creation and remote connections.
UserContext	Tune based on interactive vs. system-level execution (e.g., via SYSTEM or low-privileged users).
RemoteDestinationThreshold	Number of unique remote hosts contacted using WMI within a time window.
SuspiciousCommandPatterns	Regex patterns to identify adversary-like usage (e.g., `wmic process call`, `powershell Invoke-WmiMethod`).