Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname\>" process call create "\<command line\>". It is possible to also connect via IP address, in which case the string "\<hostname\>" would instead look like IP Address.

ATT&CK Detection

Technique Tactic Level of Coverage
Windows Management Instrumentation Execution  

Pseudocode

Looks for instances of wmic.exe as well as the substrings in the command line

  • process call create
  • /node:
processes = search Process:Create
wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*")
output wmic

Additional Notes:

Although this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.

Data Model References

Object Action Field
process create exe
process create command_line