Product

Windows Management Instrumentation

3 briefs RSS

Persistence via WMI Standard Registry Provider

The rule identifies the use of Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence by detecting registry changes made by WmiPrvSe.exe in specific registry paths.

Windows Management Instrumentation persistence registry wmi windows

3r 1t May 12, 2026

high advisory

Volume Shadow Copy Deletion via WMIC

3 rules 2 TTPs

The rule detects the use of wmic.exe for shadow copy deletion on Windows endpoints, a common tactic used in ransomware or other destructive attacks to inhibit system recovery.

Windows Management Instrumentation +3 impact windows threat-detection

3r 2t May 12, 2026

medium advisory

WMI Incoming Lateral Movement

3 rules 2 TTPs

Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.

HPWBEM +3 lateral-movement wmi windows

3r 2t Jan 3, 2024