This note documents detection patterns related to WMIExec within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Network logon to remote system using admin credentials. |
| Security | 4672 | Special privileges assigned | High | Administrative privileges used for remote execution. |
| Security | 4688 | Process created | Critical | Process spawned via WMI provider on remote host. |
| Sysmon | 1 | Process creation | Critical | cmd.exe or powershell.exe spawned by wmiprvse.exe. |
| Sysmon | 3 | Network connection | Medium | WMI RPC communication between hosts. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| wmiprvse spawning shell | wmiprvse.exe → cmd.exe or powershell.exe | Critical | Classic WMIExec execution chain. |
| Remote process creation | Command execution initiated remotely | High | Typical lateral movement behavior. |
| RPC traffic between hosts | DCOM/WMI traffic from attacker machine | Medium | Supports execution activity. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket wmiexec.py | Remote command execution via WMI. |
| CrackMapExec | Automated WMI command execution. |
| PowerShell Invoke-WmiMethod | Native WMI execution technique. |
Relevant Artifacts
- Security logs (4624, 4672, 4688)
- Sysmon process creation logs
- RPC network telemetry
- EDR telemetry for WMI activity
- Prefetch artifacts
MITRE ATT&CK References
- T1047 Windows Management Instrumentation
- T1021.003 Remote Services: WMI
Decision Tree
- Detect process creation from wmiprvse.exe.
- Identify remote initiating host.
- Verify administrative authentication.
- Inspect executed command.
- Determine lateral movement spread.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "wmiprvse.exe"
EQL
process where parent.name == "wmiprvse.exe"
Sigma
title: Suspicious WMIExec Execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: wmiprvse.exe
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| WMI restrictions | Limit remote WMI permissions | High | Reduces remote execution. |
| Monitoring | Alert on wmiprvse child processes | High | Strong detection signal. |
| Credential hygiene | Limit admin credential reuse | Critical | Prevents lateral movement. |