[metadata] creation_date = "2023/08/24" integration = ["endpoint", "windows", "system"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" index = [ "endgame-*", "logs-endpoint.events.process-*", "logs-system.security*", "logs-windows.sysmon_operational-*", "winlogbeat-*", ] interval = "60m" language = "eql" license = "Elastic License v2" name = "WMIC Remote Command" risk_score = 21 rule_id = "f59668de-caa0-4b84-94c1-3a1549e1e798" severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.name : "WMIC.exe" and process.args : "*node:*" and process.args : ("call", "set", "get") and not process.args : ("*/node:localhost*", "*/node:\"127.0.0.1\"*", "/node:127.0.0.1") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1021" name = "Remote Services" reference = "https://attack.mitre.org/techniques/T1021/" [[rule.threat.technique.subtechnique]] id = "T1021.006" name = "Windows Remote Management" reference = "https://attack.mitre.org/techniques/T1021/006/" [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1047" name = "Windows Management Instrumentation" reference = "https://attack.mitre.org/techniques/T1047/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"