Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility
wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like
wmic.exe /node:"\<hostname\>" process call create "\<command line\>". It is possible to also connect via IP address, in which case the string
"\<hostname\>" would instead look like
Although this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Windows Management Instrumentation||N/A||Execution||Low|
|D3-PSA||Process Spawn Analysis|
Data Model References
Looks for instances of wmic.exe as well as the substrings in the command line:
process call create
processes = search Process:Create wmic = filter processes where (exe == "wmic.exe" and command_line == "* process call create *" and command_line == "* /node:*") output wmic
Splunk version of the above pseudocode.
index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\wmic.exe" CommandLine="* process call create *"|search CommandLine="* /node:*"
EQL version of the above pseudocode.
process where subtype.create and (process_name == "wmic.exe" and command_line == "* process call create ") |filter command_line == "* /node:*"
LogPoint version of the above pseudocode.
norm_id=WindowsSysmon event_id=1 image="C:\\Windows\\*\\wmic.exe" command="* process call create *" command="* /node:*"