Skip to content
Threat Feed
high advisory

Suspicious Remote Process Instantiation via WMI

Detection of wmic.exe execution with parameters indicative of spawning a process on a remote system, a technique often used for lateral movement and remote code execution.

This brief focuses on detecting the abuse of Windows Management Instrumentation Command-line (WMIC) for remote process creation. The technique involves using wmic.exe with specific parameters to initiate processes on remote systems within a network. Adversaries and red teams commonly leverage this to achieve lateral movement and execute code remotely. WMIC, while a legitimate system administration tool, can be exploited to run arbitrary commands on other machines, potentially leading to further compromise. The Splunk ES-CU analytic Remote Process Instantiation via WMI, published on 2026-03-23, identifies command-line executions indicative of this behavior. Defenders should monitor for suspicious WMIC commands to prevent unauthorized remote process execution. This technique is associated with threat actors involved in ransomware and lateral movement campaigns.

Attack Chain

  1. The attacker gains initial access to a compromised system through various means (e.g., phishing, exploiting vulnerabilities).
  2. The attacker discovers other systems on the network using tools like net view or nbtscan.
  3. The attacker uses wmic.exe to execute a process on a remote machine using the node, process, call, and create parameters. Example: wmic /node:TARGET process call create "cmd.exe /c whoami > \\\\VICTIM\\C$\\users\\public\\result.txt"
  4. The remote system executes the command specified in the create parameter.
  5. The attacker retrieves the output of the executed command (e.g., result.txt in the example) to gather information about the remote system.
  6. The attacker escalates privileges on the remote system if possible.
  7. The attacker moves laterally to other systems, repeating steps 3-6.
  8. The attacker achieves their objective (e.g., data exfiltration, ransomware deployment) across the compromised network.

Impact

Successful exploitation of WMI for remote process instantiation can lead to widespread compromise within an organization's network. Attackers can execute arbitrary code on multiple systems, potentially leading to data theft, system disruption, or ransomware deployment. This technique can be used to propagate malware rapidly across a network, impacting potentially all Windows-based systems. The lack of native logging or alerting for this specific WMI usage makes it difficult to detect without dedicated monitoring.

Recommendation

  • Enable Sysmon process creation logging (Event ID 1) and Windows Security Auditing (Event ID 4688) to capture the necessary command-line and process execution data for the Sigma rules below.
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious wmic.exe executions related to remote process creation.
  • Investigate any alerts generated by the Sigma rules, focusing on the user, source, and destination systems involved.
  • Review and restrict the use of WMIC in your environment to only authorized personnel and purposes.
  • Monitor for network connections originating from systems running suspicious WMIC commands.

Detection coverage 2

Detect Remote Process Creation via WMIC

high

Detects the execution of wmic.exe with parameters to spawn a process on a remote system.

sigma tactics: execution, lateral_movement techniques: T1047 sources: process_creation, windows

Suspicious WMIC Process Creation String

medium

Detects wmic.exe containing suspicious process call parameters

sigma tactics: execution, lateral_movement techniques: T1047 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →