WMI abuse has been a persistent fixture in adversary tradecraft for over a decade. The Picus Red Report 2024 ranked T1047 as the ninth most frequently used ATT&CK technique across the threat landscape. Red Canary's Threat Detection Report has identified Windows Management Instrumentation as a mainstay in their top 10 techniques, with Impacket's WMIexec module driving a significant share of the detections. Unlike many techniques that are primarily associated with a single tactic, WMI is genuinely multi-purpose: adversaries use it for execution, discovery, lateral movement, persistence, privilege escalation, and defense evasion. Its native presence on every Windows system since Windows NT, combined with its extensive legitimate use in enterprise management, makes it nearly impossible to disable and extremely difficult to monitor effectively.
T1047 is classified under the Execution tactic (TA0002) in the MITRE ATT&CK framework, reflecting WMI's primary adversarial use case: running commands and launching payloads. However, this classification understates the technique's versatility. WMI is simultaneously a discovery tool (querying system information, installed software, running processes), a lateral movement mechanism (executing commands on remote hosts), a persistence engine (WMI event subscriptions), and a defense evasion tool (deleting logs, disabling security services). This multi-tactic capability is what makes T1047 so dangerous and so widely adopted.
The WMI architecture consists of client tools (wmic.exe, PowerShell's Get-WmiObject and Get-CimInstance) and the server-side WMI Provider Host (wmiprvse.exe). When an adversary executes a WMI command to create a remote process, the resulting executable spawns as a child of wmiprvse.exe on the target system — not as a child of the calling process. This parent-child relationship is a key detection artifact. Remote WMI operates over DCOM (port 135) or WinRM (ports 5985/5986), and any action that can be performed locally via WMI can also be performed remotely, provided the proper credentials and firewall rules are in place.
How Adversaries Abuse WMI
WMI abuse falls into several distinct operational patterns, each serving different objectives in the attack chain.
Remote Process Execution
The most common and most impactful adversarial use of WMI is remote process creation via the Win32_Process class. The command wmic /node:"TARGET" process call create "cmd.exe /c payload.exe" launches a process on a remote machine using the calling user's credentials. This is WMI as a lateral movement tool — the adversary moves from one compromised host to another without deploying remote access tools or creating new services. The Impacket framework's wmiexec.py module automates this pattern and has become one of the most widely observed lateral movement tools in real-world incidents. Red Canary identifies Impacket's WMIexec as a primary driver of their T1047 detections.
Cobalt Strike includes built-in WMI execution capabilities, allowing operators to run commands on remote hosts through the framework's graphical interface. Conti ransomware operators used WMI extensively for lateral deployment, as documented in leaked operator playbooks. APT41, the Chinese dual-purpose espionage and cybercrime group, has been documented using both wmiexec.py and custom WMI tooling for lateral movement across compromised networks. Cinnamon Tempest (formerly DEV-0401) has used Impacket specifically for WMI-based lateral movement in ransomware deployment campaigns.
System Discovery and Reconnaissance
WMI provides rich, structured access to system data that adversaries exploit for reconnaissance. Common WMI discovery commands include wmic os get caption,version,buildnumber (OS details), wmic process get Caption,ExecutablePath (running processes with paths), wmic qfe list (installed patches), wmic computersystem get model,manufacturer (hardware info), wmic service brief (installed services), wmic volume list brief (disk volumes), and wmic product list brief (installed software). Volt Typhoon uses wmic commands including wmic volume list brief, wmic service brief, wmic product list brief, and wmic baseboard list full as part of its living-off-the-land reconnaissance against US critical infrastructure.
The WMI AntiVirusProduct class allows adversaries to enumerate installed security software without parsing the Uninstall registry key. The Win32_ComputerSystem class reveals domain membership, model information, and whether the system is a virtual machine. Gamaredon Group has used WMI to execute discovery scripts and determine C2 IP addresses on compromised Ukrainian government systems.
WMI Event Subscriptions for Persistence
WMI permanent event subscriptions provide one of the stealthiest persistence mechanisms available on Windows. A subscription consists of three components: an Event Filter (the trigger condition), an Event Consumer (the action to execute), and a Filter-to-Consumer Binding (connecting the two). An adversary can create a subscription that executes a payload whenever the system starts up, a user logs in, a specific process launches, or a time interval elapses — all without modifying the filesystem, registry Run keys, or scheduled tasks.
The ActiveScriptEventConsumer allows VBScript or JScript execution, while the CommandLineEventConsumer launches arbitrary commands. When a WMI event subscription fires, the resulting process spawns from scrcons.exe (the WMI script host) as a child of WmiPrvSE.exe. The Blue Mockingbird cryptominer campaign used WMI event subscriptions to maintain persistence, and APT29 leveraged WMI subscriptions as part of the SolarWinds compromise to ensure continued access to high-value targets.
Shadow Copy Deletion and Recovery Inhibition
Ransomware operators frequently use WMI to delete Volume Shadow Copies before encryption: wmic shadowcopy delete /nointeractive. This destroys the backup snapshots that would otherwise allow victims to recover files without paying the ransom. The WannaCry ransomware, Ryuk, Conti, REvil, AvosLocker, and MosesStaff have all been documented using this specific WMI command. It falls under T1490 (Inhibit System Recovery) but is executed through T1047 as the mechanism, demonstrating how WMI serves as an execution substrate for other techniques.
Defense Evasion via WMI
Adversaries use WMI to disable security controls and tamper with logging. The Win32_Service class can stop Windows Defender or other security services. The MSFT_NetFirewallProfile class can disable Windows Firewall rules. The NTEventLogFile class can clear Windows event logs. The COR_PROFILER environment variable, manipulated via WMI, can force malicious DLLs to load into every .NET process — a technique used by the Blue Mockingbird cryptominer to establish persistence within .NET application environments.
Why WMI Abuse Matters
Near-impossible to disable. WMI is deeply integrated into Windows management infrastructure. Disabling it breaks Group Policy processing, SCCM/Intune management, and many third-party monitoring and management tools. In enterprise environments, WMI is effectively a required service, which means adversaries can count on it being available on every Windows target.
Fileless execution. WMI-based execution can be entirely fileless. A remote process call create launches a binary already present on the target. WMI event subscriptions can execute scripts stored within the WMI repository itself, never touching the filesystem. This makes WMI abuse particularly difficult for traditional antivirus that relies on file scanning.
Native trust and blending. Because WMI is used constantly for legitimate management, adversarial WMI activity blends with normal operations. SCCM queries, monitoring tools, patch management systems, and administrative scripts all generate WMI traffic. Distinguishing malicious WMI commands from this background noise requires behavioral analysis and contextual detection rather than simple signature matching.
Multi-tactic versatility. No other single technique spans as many tactical objectives as WMI. It is simultaneously an execution mechanism, a discovery tool, a lateral movement vector, a persistence engine, and a defense evasion capability. An adversary who masters WMI has a single tool that serves them throughout the entire attack lifecycle.
Real-World Case Studies
Ryuk / TrickBot / BazarLoader — WMI as the Ransomware Deployment Engine
The Ryuk ransomware attack chain, typically delivered through TrickBot or BazarLoader, demonstrates WMI as a critical lateral movement and execution mechanism. In a documented incident analyzed by The DFIR Report, the attack progressed from initial BazarLoader infection through Cobalt Strike deployment to Ryuk ransomware deployment — with WMI serving as the primary lateral movement tool. Operators used wmic /node:TARGET process call create to execute the ransomware payload on machines across the network, combined with wmic shadowcopy delete to destroy backup copies before encryption began. The entire lateral deployment phase relied on WMI as the execution substrate, with no additional tools deployed to target machines.
APT41 — WMI and WMIExec for Espionage and Lateral Movement
APT41 (Double Dragon), the Chinese state-sponsored group that conducts both espionage and financially motivated operations, has been extensively documented using WMI for lateral movement. In their attack against Air India, Kaspersky researchers observed APT41 using Impacket's wmiexec.py and custom WMI-based tools to move laterally across the compromised network. In a separate campaign analyzed by DCSO CyTec, APT41 used WMI alongside other Impacket modules (atexec) for remote execution. The group's reliance on WMI reflects its advantages for a sophisticated espionage actor: the traffic blends with legitimate management activity, no additional tooling needs to be deployed to target systems, and the execution leaves minimal filesystem artifacts.
Volt Typhoon — WMI Discovery Commands Against US Critical Infrastructure
Volt Typhoon's living-off-the-land approach includes extensive use of WMI for system profiling. The Chinese state-sponsored group, targeting US critical infrastructure for pre-positioning purposes, uses multiple wmic commands as part of its post-compromise reconnaissance: wmic volume list brief, wmic service brief, wmic product list brief, and wmic baseboard list full. These commands provide comprehensive system data — disk volumes, installed services, software inventory, and hardware details — without requiring any non-native tools. The CISA/NSA joint advisory on Volt Typhoon specifically highlights WMI usage as part of the group's living-off-the-land technique inventory.
Medusa Ransomware — WMI for System Reconnaissance (2025)
The Medusa ransomware group, which escalated operations significantly through 2025, uses WMI to query system information on compromised hosts. According to Intel471's 2025 threat hunting case study on Medusa, the group uses WMI queries to enumerate system configuration, installed software, and running services before proceeding with data exfiltration and encryption. This WMI-based reconnaissance feeds into Medusa's double-extortion model, helping operators identify what data is worth stealing and which systems are worth encrypting.
HermeticWizard — WMI-Based Worm for Destructive Attacks on Ukraine (2022)
ESET researchers documented HermeticWizard, a worm component deployed alongside the HermeticWiper destructive malware in attacks against Ukrainian organizations in February 2022. HermeticWizard used WMI (Win32_Process create method) and SMB to spread the HermeticWiper payload across local networks. The worm enumerated network hosts, then used WMI remote execution to deploy and execute the wiper on each reachable machine. This demonstrates WMI as a lateral movement mechanism in destructive operations, not just espionage or ransomware — the worm's WMI-based propagation enabled rapid, automated deployment of destructive payloads across Ukrainian infrastructure.
Detection Strategies
WMI detection requires monitoring both the client side (who is executing WMI commands) and the server side (what wmiprvse.exe spawns as a result). Red Canary's analysis confirms that the most productive detection analytics rely on process and command monitoring, which are broadly available through commercial EDR products and native Windows event logging.
Sysmon Event IDs 19, 20, and 21 specifically capture WMI event subscription activity: Event Filter creation (19), Event Consumer creation (20), and Filter-to-Consumer binding (21). These are low-volume, high-fidelity events that rarely generate false positives because legitimate software infrequently creates permanent WMI event subscriptions. Enabling these Sysmon events is one of the highest-value detection investments for T1047.
Key Monitoring Points
| Data Source | What to Monitor | Detection Logic |
|---|---|---|
| Sysmon Event ID 1 (Process Creation) | wmic.exe execution with suspicious arguments | Flag wmic process call create, wmic /node: (remote execution), wmic shadowcopy delete, and wmic combined with service stop commands. Prioritize executions from non-administrative users or unexpected parent processes |
| Sysmon Event ID 1 | wmiprvse.exe child processes | Flag suspicious child processes of wmiprvse.exe, especially cmd.exe, powershell.exe, mshta.exe, scrcons.exe, and any unsigned executables. On the target machine, remotely executed WMI processes spawn as children of wmiprvse.exe |
| Sysmon Event IDs 19, 20, 21 | WMI event subscription creation | Alert on all WMI event filter creation (19), consumer creation (20), and binding (21) events. Legitimate software rarely creates permanent WMI subscriptions, making these high-fidelity detection events |
| PowerShell Script Block Logging (Event ID 4104) | Get-WmiObject, Invoke-WmiMethod, Get-CimInstance | Flag PowerShell WMI cmdlets combined with Win32_Process create, remote computer parameters, or shadow copy operations |
| Network Traffic (Port 135, 5985/5986) | DCOM and WinRM traffic patterns | Monitor for DCOM traffic (port 135) and WinRM traffic (ports 5985/5986) between workstations, which may indicate WMI-based lateral movement. Legitimate WMI management traffic typically flows from management servers to endpoints, not between peer workstations |
| Windows Security Event ID 4688 | Process creation with WMI-related command lines | Flag wmic process creation events, especially those containing /node:, process call create, or shadowcopy delete in the command line |
| Windows WMI Activity Log | WMI operational events | Enable and monitor Microsoft-Windows-WMI-Activity/Operational log for WMI query and execution events, especially those from remote connections |
Splunk Detection Queries
Query 1: WMI Remote Process Execution
Detects WMI-based remote process execution, the primary lateral movement pattern for T1047. This is one of the highest-value detection rules for WMI abuse.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((process_name=wmic.exe AND CommandLine="*/node:*" AND CommandLine="*process*call*create*")
OR (process_name=wmic.exe AND CommandLine="*process*call*create*"))
| table _time host user process_name CommandLine parent_process_name
| sort -_timeQuery 2: Suspicious Child Processes of WMI Provider Host
Detects processes spawned by wmiprvse.exe that indicate remote WMI execution on the target machine. When an adversary uses WMI to create a remote process, the resulting executable appears as a child of wmiprvse.exe.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
parent_process_name=wmiprvse.exe
(process_name=cmd.exe OR process_name=powershell.exe OR process_name=mshta.exe
OR process_name=scrcons.exe OR process_name=rundll32.exe
OR process_name=regsvr32.exe OR process_name=certutil.exe)
| table _time host user process_name CommandLine parent_process_name
| sort -_timeQuery 3: WMI Event Subscription Creation (Persistence)
Detects creation of WMI permanent event subscriptions, one of the stealthiest persistence mechanisms available on Windows. Legitimate software rarely creates these subscriptions.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=19 OR EventCode=20 OR EventCode=21)
| eval subscription_type=case(
EventCode=19, "EventFilter",
EventCode=20, "EventConsumer",
EventCode=21, "FilterToConsumerBinding")
| table _time host subscription_type EventNamespace Name Query Destination
| sort -_timeQuery 4: Shadow Copy Deletion via WMI
Detects ransomware pre-encryption activity: the use of WMI to delete Volume Shadow Copies, a technique used by WannaCry, Ryuk, Conti, REvil, and many other ransomware families.
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=wmic.exe AND CommandLine="*shadowcopy*" AND CommandLine="*delete*")
OR (process_name=powershell.exe AND CommandLine="*Win32_ShadowCopy*" AND CommandLine="*Delete*")
| table _time host user process_name CommandLine parent_process_name
| sort -_timeKnown Threat Actors and Malware
T1047 is used by a remarkably broad cross-section of threat actors, from the most sophisticated state-sponsored groups to commodity malware and ransomware-as-a-service affiliates.
State-Sponsored Espionage
| Actor / Malware | Attribution | T1047 Usage |
|---|---|---|
| APT41 | China | WMIExec and Impacket for lateral movement in espionage and financially motivated campaigns (Air India, DCSO CyTec analysis) |
| Volt Typhoon | China (PRC) | Multiple wmic discovery commands as living-off-the-land reconnaissance against US critical infrastructure |
| APT29 / NOBELIUM | Russia (SVR) | WMI for discovery and execution during SolarWinds compromise; WMI event subscriptions for persistence on high-value targets |
| APT28 (Sofacy) | Russia (GRU) | WMI for command execution and discovery in global espionage campaigns |
| Gamaredon Group | Russia (FSB) | WMI to execute discovery scripts and determine C2 IP addresses on Ukrainian government systems |
| APT35 (Charming Kitten) | Iran | WMI for PowerShell toolkit distribution exploiting Log4j vulnerability |
| menuPass (APT10) | China | Modified wmiexec.vbs pentesting script for remote WMI login and execution |
| Velvet Ant | China | WMI for lateral movement in long-running campaigns targeting F5 load balancers (2024) |
Ransomware and Financially Motivated Groups
| Actor / Malware | T1047 Usage |
|---|---|
| Ryuk / GRIM SPIDER | WMI remote process execution for ransomware deployment across networks; wmic shadowcopy delete for recovery inhibition |
| Conti | WMI-based lateral movement documented in leaked operator playbooks |
| REvil / Sodinokibi | WMI for shadow copy deletion and lateral deployment |
| Medusa | WMI queries for system reconnaissance in double-extortion campaigns (2025) |
| INC Ransom | WMIC used to deploy ransomware across target environments |
| LockBit 2.0 | WMI for shadow copy deletion and pre-encryption reconnaissance |
| FIN7 | WMI for execution and discovery in financial sector targeting |
| FIN8 | WMI and Sardonic backdoor for PowerShell command execution on compromised machines |
| FIN13 / Elephant Beetle | WMI for command execution in long-running financial theft operations targeting Mexican organizations |
Tools and Frameworks
| Tool | T1047 Usage |
|---|---|
| Impacket (WMIExec) | Python-based remote WMI execution; primary driver of Red Canary T1047 detections |
| Cobalt Strike | Built-in WMI execution for lateral movement and remote command execution |
| Empire / PowerSploit | PowerShell-based WMI execution and event subscription creation |
| SharpWMI | C#-based WMI execution tool for lateral movement |
| Covenant | WMI execution capabilities in the .NET-based C2 framework |
| PoshC2 | PowerShell-based WMI execution for lateral movement and reconnaissance |
Destructive Operations
| Actor / Malware | T1047 Usage |
|---|---|
| HermeticWizard | WMI-based worm spreading HermeticWiper across Ukrainian networks (2022) |
| WannaCry | wmic shadowcopy delete to destroy backup copies before encryption |
| MosesStaff / Indra | WMI for execution in destructive attacks against Iranian targets |
| BlackEnergy 2 | WMI for discovery in campaigns targeting Ukrainian energy infrastructure |
Defensive Recommendations
1. Enable Sysmon WMI Event Subscription monitoring
Deploy Sysmon with Event IDs 19, 20, and 21 enabled to capture WMI event filter creation, consumer creation, and filter-to-consumer binding. These are among the lowest-noise, highest-value detection events available for T1047 because legitimate software rarely creates permanent WMI event subscriptions. Any subscription creation should be investigated, especially those involving ActiveScriptEventConsumer or CommandLineEventConsumer.
2. Monitor wmiprvse.exe child processes
Build detection rules that flag suspicious child processes of wmiprvse.exe. When an adversary uses WMI to execute a remote command, the resulting process appears as a child of wmiprvse.exe on the target system. Legitimate WMI operations rarely spawn cmd.exe, powershell.exe, or mshta.exe as children of the WMI Provider Host. This parent-child relationship is one of the most reliable detection signals for WMI-based lateral movement.
3. Restrict WMI remote access
Limit which accounts can execute WMI commands remotely by configuring DCOM Launch and Activation permissions and the WMI namespace security settings. In environments where remote WMI is not needed for management, restrict access to dedicated administrative accounts and monitor for unauthorized usage. Consider using Windows Firewall to block inbound DCOM (port 135) and WinRM (ports 5985/5986) traffic from workstation-to-workstation, allowing it only from designated management servers.
4. Deploy Attack Surface Reduction (ASR) rules
Microsoft's Attack Surface Reduction rules include a rule that blocks process creation from WMI event subscriptions (e6db77e5-3df2-4cf1-b95a-636979351e5b). Enabling this rule in block mode prevents WMI event subscriptions from launching executables, eliminating one of the most effective WMI-based persistence mechanisms. Additionally, the ASR rule that blocks Office applications from creating child processes helps prevent WMI abuse from macro-based initial access vectors.
5. Alert on shadow copy deletion via WMI
Create a high-priority, zero-tolerance alert for any execution of wmic shadowcopy delete or PowerShell commands that delete Win32_ShadowCopy objects. There is almost no legitimate reason for a standard user to delete shadow copies via WMI, making this a near-perfect detection for ransomware pre-encryption activity. This alert should trigger immediate incident response investigation.
6. Implement WMI logging and auditing
Enable the Microsoft-Windows-WMI-Activity/Operational event log, which records WMI query and execution events including the originating process and the WMI namespace accessed. While this log can be noisy in environments with heavy WMI management traffic, it provides visibility into WMI activity that is not captured by standard process creation monitoring. Forward these events to your SIEM for correlation with other detection signals.
7. Monitor for Impacket WMIExec artifacts
Impacket's WMIExec module creates a distinctive pattern: it spawns cmd.exe /Q /c as a child of wmiprvse.exe, redirects output to a temporary file (often in C:\Windows\Temp\ or the ADMIN$ share), then retrieves the output file over SMB. Build detection rules that match this specific pattern — the combination of wmiprvse.exe spawning cmd.exe /Q /c with output redirection to a file is highly indicative of Impacket usage and generates few false positives.
8. Correlate WMI activity with authentication events
WMI remote execution requires valid credentials. Correlate WMI execution events with Windows authentication logs (Event ID 4624, logon type 3 for network logons) to identify which accounts are being used for WMI-based lateral movement. If a service account that should only authenticate to specific servers is suddenly authenticating via DCOM to workstations across the network, it strongly suggests credential compromise and lateral movement via WMI.
MITRE ATT&CK Mapping
| Field | Value |
|---|---|
| Technique ID | T1047 |
| Technique Name | Windows Management Instrumentation |
| Tactics | Execution (TA0002) |
| Platforms | Windows |
| Sub-Techniques | None (no sub-techniques defined) |
| Data Sources | Process (Creation), Command (Execution), Network Traffic (Connection Creation), WMI (Creation) |
| Mitigations | Privileged Account Management (M1026), User Account Management (M1018), Execution Prevention (M1038) |
| Version | 1.4 (last modified October 2025) |
| MITRE Reference | attack.mitre.org/techniques/T1047 |
Sources and References
- MITRE ATT&CK — T1047 Windows Management Instrumentation: attack.mitre.org
- Red Canary — 2025 Threat Detection Report: Windows Management Instrumentation and Impacket's WMIexec: redcanary.com
- Picus Security — T1047 Windows Management Instrumentation of the MITRE ATT&CK Framework: picussecurity.com
- FireEye/Mandiant — WMI Offense, Defense, and Forensics (Ballenthin et al.): mandiant.com
- CISA/NSA — Volt Typhoon: People's Republic of China State-Sponsored Cyber Actor Living Off the Land: cisa.gov
- ESET — IsaacWiper and HermeticWizard: New Wiper and Worm Targeting Ukraine: welivesecurity.com
- The DFIR Report — Ryuk's Return (TrickBot, Cobalt Strike, and WMI Lateral Movement): thedfirreport.com
- Intel471 — Threat Hunting Case Study: Medusa Ransomware (2025): intel471.com
- Cyber Triage — WMI Malware: The Complete Forensics Guide (2025): cybertriage.com
- Red Canary — Atomic Red Team T1047 Tests: github.com