Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Detection of logins performed with WMI

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Detects suspicious and uncommon child processes of WmiPrvSE

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Detects WmiPrvSE spawning a process

Detects the creation of the default output filename used by the wmiexec tool

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Detects a suspicious child process of Script Event Consumer (scrcons.exe).

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Detects various execution patterns of the CrackMapExec pentesting framework

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

Detects new process creation using WMIC via the "process call create" flag

Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts

Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

Detects the execution of WMIC to query information on a remote system

Uninstall an application with wmic

Detects usage of wmic to start or stop a service

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Detects non wmiprvse loading WMI modules

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Detects suspicious encoded payloads in WMI Event Consumers

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.

Detects parameters used by WMImplant

Detects blocking of process creations originating from PSExec and WMI commands

Attempts to detect system changes made by Blue Mockingbird

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE