LoFP LoFP / t1047

t1047

TitleTags
administrative scripts that use the same keywords.
administrator may execute impersonate wmi object script for auditing. filter is needed.
administrators may execute this command for testing or auditing.
administrators may leverage wwmi and powershell.exe to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.
administrators may use this legitimately to gather info from remote systems. filter as needed.
although uncommon, administrators may leverage impackets tools to start a process on remote systems for system administration or automation use cases.
although unlikely, administrators may use event subscriptions for legitimate purposes.
although unlikely, administrators may use wmi to execute commands for legitimate purposes.
although unlikely, administrators may use wmi to launch scripts for legitimate purposes. filter as needed.
appvclient
ccm
false positives are expected (e.g. in environments where winrm is used legitimately)
false positives may be present based on third-party applications or administrators using cim. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
false positives should be limited as this analytic is designed to detect a specific utility. it is recommended to apply appropriate filters as needed to minimize the number of false positives.
legitimate applications may spawn powershell as a child process of the the identified processes. filter as needed.
legitimate applications may trigger this behavior, filter as needed.
legitimate system administration
monitoring tools
netowrk administrator or it may execute this command for auditing processes and services.
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
some administrative tasks on remote host
some software may create wmi temporary event subscriptions for various purposes. the included search contains an exception for two of these that occur by default on windows 10 systems. you may need to modify the search to create exceptions for other legitimate events.
the wmic.exe utility is a benign windows application. it may be used legitimately by administrators with these parameters for remote system administration, but it's relatively uncommon.
unlikely
windows administrator tasks or troubleshooting
windows management scripts or software
winrm