although unlikely, administrators may use wmi to execute commands for legitimate purposes.

t1047
endpoint
splunk

Techniques

T1047

Sample rules

Process Execution via WMI

source: splunk
technicques:
- T1047

Description

The following analytic identifies WmiPrvSE.exe spawning a process. This typically occurs when a process is instantiated from a local or remote process using wmic.exe. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from wmiprvse.exe. Contain and remediate the endpoint as necessary.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `process_execution_via_wmi_filter`