https://feed.craftedsignal.io/tags/wmi/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 16 Mar 2026 19:03:04 +0000https://feed.craftedsignal.io/briefs/2024-05-stealthy-wmi-exec/Mon, 16 Mar 2026 19:03:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-05-stealthy-wmi-exec/The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.The information describes a lateral movement technique leveraging Windows Management Instrumentation (WMI) using a tool named StealthyWMIExec.py. This tool aims to provide a “stealthy” approach to executing commands on remote systems. The original post on Reddit’s blueteamsec forum, dating back to March 2026, discusses a method for achieving lateral movement while potentially bypassing traditional security monitoring that focuses on standard command execution patterns. Defenders should consider that adversaries might try to use WMI for command execution to blend in with legitimate activity and evade detection.

Attack Chain

1. Attacker gains initial access to a system within the target network.
2. Attacker uses valid credentials or exploits a vulnerability to authenticate to a remote host.
3. Attacker uses the StealthyWMIExec.py script (or similar WMI-based execution tool).
4. The script establishes a WMI connection to the target machine.
5. The script executes commands on the remote host using WMI’s Win32_Process class.
6. The output of the executed command is retrieved via WMI.
7. The attacker uses the information obtained to further compromise the network or achieve other objectives.

Impact

Successful exploitation via WMI-based lateral movement can lead to the compromise of multiple systems within a network. This can lead to data exfiltration, ransomware deployment, or other malicious activities, depending on the attacker’s objectives. The use of “stealthy” techniques may allow attackers to remain undetected for longer periods, increasing the potential damage.

Recommendation

• Monitor WMI event logs (Event ID 5861, 5857, 5858, 5859) for suspicious WMI activity indicative of lateral movement.
• Implement the Sigma rules provided to detect unusual WMI process creation and script execution.
• Enable and review process creation logs (Sysmon Event ID 1) with command-line arguments to identify suspicious WMI activity.
• Restrict WMI access to authorized users and systems only to limit the attack surface for this technique.

]]>mediumadvisorylateral-movementwmiwindowshttps://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/Tue, 09 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-wmi-image-load/Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.This detection rule identifies suspicious image loading of wmiutils.dll from Microsoft Office processes (WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE, MSPUB.EXE, MSACCESS.EXE). Adversaries can use this technique to execute code and evade traditional parent/child processes spawned from Microsoft Office products. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI).

Attack Chain

1. User opens a malicious Microsoft Office document (e.g., Word, Excel).
2. The document contains a macro or exploit that triggers the execution of WMI commands.
3. The Office application spawns a WMI process or utilizes existing WMI infrastructure.
4. The WMI process loads the wmiutils.dll library, which is unusual for normal Office operations.
5. The WMI commands execute malicious code, potentially downloading or executing further payloads.
6. The attacker establishes persistence through WMI event subscriptions or other methods.
7. The attacker performs lateral movement using WMI to execute commands on other systems.

Impact

Successful exploitation allows attackers to execute arbitrary code, establish persistence, and move laterally within the network, potentially leading to data exfiltration, system compromise, or ransomware deployment. While the number of victims is unknown, this technique can be used in targeted attacks against organizations that heavily rely on Microsoft Office applications.

Recommendation

• Deploy the Sigma rule “Suspicious WMI Image Load from MS Office” to your SIEM and tune for your environment.
• Enable Sysmon event ID 7 (Image Loaded) logging for comprehensive image load monitoring as suggested in the setup instructions.
• Monitor process creation events for Microsoft Office applications spawning WMI-related processes (e.g., wbemtest.exe, wmic.exe) to detect potential WMI abuse.
• Implement network segmentation to limit lateral movement in case of a successful WMI-based attack.

]]>mediumadvisorywmiimage loadofficeexecutionhttps://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmiprvse-enumeration/This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.Attackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.

Attack Chain

1. The attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
2. The attacker uses WMI to execute a reconnaissance command.
3. WMIPrvSE.exe is invoked to execute the attacker’s specified command.
4. The attacker executes commands such as ipconfig.exe, net.exe, or systeminfo.exe via WMIPrvSE.exe to gather network configuration details, user information, and system information.
5. The enumerated information is collected and potentially exfiltrated to a command and control server.
6. The attacker uses the gathered information to identify further targets within the network.
7. The attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.
8. The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.

Impact

Successful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.

Recommendation

• Enable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).
• Deploy the Sigma rule “Enumeration Command Spawned via WMIPrvSE” to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).
• Investigate any instances of WMIPrvSE spawning common enumeration tools such as net.exe, ipconfig.exe, or systeminfo.exe (Sigma rule).
• Implement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).

]]>mediumadvisoryenumerationwmidiscoveryexecutionwindowshttps://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-wmi-lateral-movement/Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.This threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker uses WMI to initiate a connection to a remote host on port 135.
3. The svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.
4. WmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker’s WMI command.
5. The spawned process executes the attacker’s payload or command on the remote host.
6. The attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.

Impact

Successful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.

Recommendation

• Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.
• Review and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.
• Isolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.
• Monitor network connections with destination port 135 for unusual activity.

]]>mediumadvisorylateral-movementwmiwindowshttps://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmi-script-execution/The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.This detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where wmiutils.dll is loaded by wscript.exe or cscript.exe, followed by wmiprvse.exe spawning a new process. This is often associated with malicious initial access or execution techniques.

Attack Chain

1. An attacker gains initial access via phishing (T1566) or other means.
2. The attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.
3. The script interpreter (cscript.exe or wscript.exe) loads wmiutils.dll to interact with WMI.
4. The WMI Provider Host process (wmiprvse.exe) is invoked as a parent process, triggered by the script execution.
5. wmiprvse.exe executes a secondary process, such as powershell.exe, cmd.exe, or other executables, often from unusual locations like C:\\Users\\ or C:\\ProgramData\\.
6. The executed process performs malicious actions, such as downloading additional payloads or establishing persistence.
7. The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.
8. The ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.

Impact

Successful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.

Recommendation

• Enable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.
• Deploy the provided Sigma rule “WMI Scripting Process Creation” to detect suspicious process creation events originating from wmiprvse.exe.
• Investigate any alerts generated by the provided Sigma rule “WMI Scripting Process Creation” with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.
• Implement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.
• Regularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.

]]>mediumadvisorywindowswmiscript_executioninitial_accessexecutionhttps://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmi-persistence/Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.Windows Management Instrumentation (WMI) provides a powerful framework for managing Windows systems, but adversaries can abuse its capabilities to establish persistence. By creating WMI event subscriptions, attackers can execute arbitrary code in response to defined system events. This technique involves creating event filters, providers, consumers, and bindings that automatically run malicious code. This can be achieved through tools like wmic.exe, which allows the creation of event consumers such as ActiveScriptEventConsumer or CommandLineEventConsumer. Successful exploitation of WMI for persistence allows attackers to maintain unauthorized access to a compromised system, even after reboots or other system changes. This activity has been observed across various environments, highlighting the need for robust detection mechanisms to identify and prevent WMI-based persistence.

Attack Chain

1. An attacker gains initial access to a Windows system through unspecified means.
2. The attacker uses wmic.exe to create a WMI event filter that defines a specific event to monitor.
3. A WMI event consumer, such as ActiveScriptEventConsumer or CommandLineEventConsumer, is created using wmic.exe specifying the malicious code or script to execute when the event occurs.
4. A WMI binding is established between the event filter and the event consumer using wmic.exe, linking the event to the action.
5. The malicious WMI event subscription is activated, monitoring for the defined event.
6. When the specified event occurs, the WMI service triggers the execution of the associated malicious code or script through the event consumer.
7. The attacker gains persistent access to the system, as the WMI event subscription will re-activate after reboots.
8. The attacker can then perform additional malicious activities, such as lateral movement or data exfiltration.

Impact

Successful exploitation of WMI for persistence can allow an attacker to maintain long-term, unauthorized access to a compromised system. This can result in data theft, system compromise, and further malicious activities. While the exact number of victims is not specified in the source, the broad applicability of this technique means that many Windows systems are potentially at risk. If the attack succeeds, the attacker gains a foothold on the system that is difficult to detect and remove, which can lead to significant operational disruption and financial loss.

Recommendation

• Enable process creation logging and monitor for wmic.exe with command-line arguments related to creating event consumers, specifically ActiveScriptEventConsumer or CommandLineEventConsumer, to trigger the Sigma rule “Detect Suspicious WMIC Process”.
• Deploy the provided Sigma rule to your SIEM to detect suspicious WMI event subscription creation.
• Review the investigation steps outlined in the provided documentation to triage and analyze potential WMI persistence attempts.
• Monitor Windows Security Event Logs and Sysmon for events related to WMI activity for broader coverage.

]]>mediumadvisorypersistenceexecutionwindowswmihttps://feed.craftedsignal.io/briefs/2024-01-wmi-event-subscription/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmi-event-subscription/This threat brief details the detection of malicious Windows Management Instrumentation (WMI) event subscriptions, a technique used by attackers for persistence and privilege escalation on Windows systems.Attackers abuse Windows Management Instrumentation (WMI) event subscriptions to establish persistence on compromised systems. By creating WMI event subscriptions that trigger malicious actions based on system events, adversaries can ensure their code executes automatically. This technique is particularly effective because WMI is a legitimate system administration tool, making malicious activity harder to detect. This rule focuses on detecting suspicious WMI event consumers, specifically CommandLineEventConsumer and ActiveScriptEventConsumer. The detection leverages Sysmon event code 21 and endpoint API events related to IWbemServices::PutInstance calls. The timeframe for the rule is set to look back 9 minutes.

Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. The attacker uses PowerShell or another scripting language to interact with the WMI service.
3. The attacker creates a new WMI event filter to monitor for a specific system event.
4. The attacker creates a WMI event consumer, such as CommandLineEventConsumer or ActiveScriptEventConsumer, to execute a malicious payload.
5. The attacker links the event filter and consumer by creating a WMI event subscription.
6. The malicious WMI event subscription persists across reboots.
7. When the specified event occurs, the malicious consumer executes the attacker’s payload.
8. The attacker maintains persistent access and can perform further malicious activities, such as data exfiltration or lateral movement.

Impact

Successful exploitation allows attackers to maintain persistent access to the compromised system, even after reboots or other system changes. This can lead to long-term data theft, system compromise, or the deployment of ransomware. While the number of victims is unknown, this technique can be used against a wide range of Windows systems.

Recommendation

• Enable Sysmon WMI event logging to capture event code 21, which is crucial for detecting WMI event subscription creation.
• Deploy the Sigma rule “Detect Suspicious WMI Event Subscription Creation” to your SIEM to identify potentially malicious WMI activity.
• Investigate any process associated with the IWbemServices::PutInstance API call, particularly those using CommandLineEventConsumer or ActiveScriptEventConsumer, as indicated in the Attack Chain section.
• Monitor for processes or activities around the time of the event to identify potential lateral movement or further persistence mechanisms as outlined in the overview.

]]>mediumadvisorypersistencewmiwindowsevent-subscriptionhttps://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-wmi-reconnaissance/Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.This brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like Win32_Bios, Win32_OperatingSystem, Win32_Processor and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.

Attack Chain

1. An attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
2. The attacker executes a PowerShell script, either directly or via a command-line interpreter like cmd.exe.
3. The PowerShell script uses the Get-WmiObject cmdlet or a direct WMI query with SELECT to query system information.
4. Specific WMI classes are targeted, including Win32_Bios, Win32_OperatingSystem, Win32_Processor, Win32_ComputerSystem, Win32_PnPEntity, Win32_ShadowCopy, Win32_DiskDrive, Win32_PhysicalMemory, Win32_BaseBoard, and Win32_DisplayConfiguration.
5. The script collects the data returned by the WMI queries.
6. The gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.
7. The attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.
8. The attacker executes further commands based on the gathered information.

Impact

Successful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.

Recommendation

• Enable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (PowerShell Script Block Logging 4104).
• Deploy the Sigma rule Detect Suspicious WMI Reconnaissance via PowerShell to identify PowerShell scripts querying sensitive WMI classes.
• Investigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.
• Review and tune the Recon Using WMI Class detection filter (recon_using_wmi_class_filter) to reduce false positives in your environment.

]]>highadvisorypowershellwmireconnaissancelateral_movementwindows