CAR-2016-03-002: Create Remote Process via WMIC
Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname\>" process call create "\<command line\>". It is possible to also connect via IP address, in which case the string "\<hostname\>" would instead look like IP Address.
ATT&CK Detection
| Technique | Tactic | Level of Coverage |
|---|---|---|
| Windows Management Instrumentation | Execution |
Pseudocode
Looks for instances of wmic.exe as well as the substrings in the command line
process call create/node:
processes = search Process:Create
wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*")
output wmic
Additional Notes:
Although this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |