Suspicious Remote Process Instantiation via WMI
Detection of wmic.exe execution with parameters indicative of spawning a process on a remote system, a technique often used for lateral movement and remote code execution.
This brief focuses on detecting the abuse of Windows Management Instrumentation Command-line (WMIC) for remote process creation. The technique involves using wmic.exe with specific parameters to initiate processes on remote systems within a network. Adversaries and red teams commonly leverage this to achieve lateral movement and execute code remotely. WMIC, while a legitimate system administration tool, can be exploited to run arbitrary commands on other machines, potentially leading to further compromise. The Splunk ES-CU analytic Remote Process Instantiation via WMI, published on 2026-03-23, identifies command-line executions indicative of this behavior. Defenders should monitor for suspicious WMIC commands to prevent unauthorized remote process execution. This technique is associated with threat actors involved in ransomware and lateral movement campaigns.
Attack Chain
- The attacker gains initial access to a compromised system through various means (e.g., phishing, exploiting vulnerabilities).
- The attacker discovers other systems on the network using tools like
net viewornbtscan. - The attacker uses
wmic.exeto execute a process on a remote machine using thenode,process,call, andcreateparameters. Example:wmic /node:TARGET process call create "cmd.exe /c whoami > \\\\VICTIM\\C$\\users\\public\\result.txt" - The remote system executes the command specified in the
createparameter. - The attacker retrieves the output of the executed command (e.g.,
result.txtin the example) to gather information about the remote system. - The attacker escalates privileges on the remote system if possible.
- The attacker moves laterally to other systems, repeating steps 3-6.
- The attacker achieves their objective (e.g., data exfiltration, ransomware deployment) across the compromised network.
Impact
Successful exploitation of WMI for remote process instantiation can lead to widespread compromise within an organization's network. Attackers can execute arbitrary code on multiple systems, potentially leading to data theft, system disruption, or ransomware deployment. This technique can be used to propagate malware rapidly across a network, impacting potentially all Windows-based systems. The lack of native logging or alerting for this specific WMI usage makes it difficult to detect without dedicated monitoring.
Recommendation
- Enable Sysmon process creation logging (Event ID 1) and Windows Security Auditing (Event ID 4688) to capture the necessary command-line and process execution data for the Sigma rules below.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious
wmic.exeexecutions related to remote process creation. - Investigate any alerts generated by the Sigma rules, focusing on the user, source, and destination systems involved.
- Review and restrict the use of WMIC in your environment to only authorized personnel and purposes.
- Monitor for network connections originating from systems running suspicious WMIC commands.
Detection coverage 2
Detect Remote Process Creation via WMIC
highDetects the execution of wmic.exe with parameters to spawn a process on a remote system.
Suspicious WMIC Process Creation String
mediumDetects wmic.exe containing suspicious process call parameters
Detection queries are available on the platform. Get full rules →