Windows Management Instrumentation (T1047) is a MITRE ATT&CK technique in the Execution tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is a Windows administration feature that provides a uniform interface for local and remote access to Windows system components. It allows scripted interaction with the operating system, hardware, software, and network devices. Attackers leverage WMI for execution because it is a trusted, built-in Windows component that is rarely blocked by application control policies. WMI can be used to execute commands locally or on remote systems, create permanent event subscriptions that persist across reboots, and interact with operating system components without spawning obvious command shell processes. WMI event subscriptions, which can trigger command execution based on system events such as user logon, process creation, or network connection establishment, are a particularly stealthy persistence mechanism because they do not create scheduled tasks or registry run keys that are commonly monitored.
“Windows Management Instrumentation is documented as technique T1047 in the MITRE ATT&CK knowledge base under the Execution tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Windows Management Instrumentation activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for WMI process execution through wmiprvse.exe spawning child processes, as legitimate WMI operations rarely require spawning command interpreters or network utilities as direct children of the WMI provider host.
Alert on WMI permanent event subscriptions being created or modified, particularly EventFilter, EventConsumer, and FilterToConsumerBinding classes, which are the components of WMI-based persistence mechanisms.
Detect remote WMI execution by monitoring for DCOM-based connections to port 135 followed by dynamic high port connections between internal hosts, combined with process creation events on the target system.
Monitor PowerShell Invoke-WMIMethod and Get-WMIObject cmdlets used with ComputerName parameters specifying remote hosts, as these are commonly used for WMI-based lateral movement and remote execution.
Correlate WMI activity with network connections and file system events, as attackers using WMI for execution typically download and execute payloads that generate secondary indicators detectable through endpoint telemetry.
These realistic alert examples show what Windows Management Instrumentation looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
WMI process wmiprvse.exe spawned cmd.exe on 15 systems within 6 minutes, each executing the same Base64-encoded PowerShell command that downloads and runs a remote access tool. The WMI execution was initiated remotely using domain administrator credentials from a compromised server. This WMI-based lateral execution leaves fewer artifacts than PSExec and evades many endpoint security tools.
WMI activity monitoring detected creation of a new WMI event subscription on workstation WS-DEV-015. The subscription triggers on user logon events and executes a PowerShell script stored within the WMI repository itself, requiring no files on disk. This fileless persistence mechanism survives reboots and evades file-based scanning while maintaining reliable execution on every user authentication.
Sequence of WMI queries executed through wmic.exe collecting system information including installed software, running processes, network configuration, and logged-in user details. These reconnaissance queries were run across 8 different systems using the same compromised service account within a 12-minute window, indicating systematic environment mapping using WMI as a living-off-the-land discovery tool.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Windows Management Instrumentation. Build detection skills with zero consequences — free forever.
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryAlert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their …
Read more GlossaryTactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more