highproductionWindowsNetworkT1047

Lateral Movement via WMI Remote Execution

Detects remote WMI execution commonly used for lateral movement, persistence, and command execution across network hosts.

Updated Sep 10, 2024 · Detection Engineering Team

wmilateral-movementwindowsremote-execution

Problem Statement

WMI provides a legitimate Windows management interface that attackers abuse for remote code execution. It produces minimal network noise and often bypasses traditional security tools.

Sample Logs

{"EventID":4688,"Computer":"CORP-SERVER02","SubjectUserName":"CORP\svc-backup","ParentProcessName":"C:\Windows\System32\wbem\WmiPrvSE.exe","NewProcessName":"C:\Windows\System32\cmd.exe","CommandLine":"cmd.exe /c net user hacker P@ssw0rd123 /add"}

Required Fields

ParentProcessName

NewProcessName

CommandLine

Computer

SubjectUserName

False Positives

·Legitimate WMI-based management tools
·Monitoring agents using WMI
·Software inventory solutions

Tuning Guidance

Whitelist known WMI management tools and their expected child processes. Focus on interactive user context vs service accounts.