title: Suspicious Get-WmiObject
id: 0332a266-b584-47b4-933d-a00b103e1b37
status: experimental
description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
date: 2022/01/12
author: frack113
references:
    - https://attack.mitre.org/datasources/DS0005/
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains:
            - Get-WmiObject
            - gwmi
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
tags:
    - attack.persistence
    - attack.t1546