{ "id": "10da5fd4-c9a0-48ce-bdad-41498de9e20c", "created_at": "2026-04-06T00:08:53.455249Z", "updated_at": "2026-04-10T03:37:19.411746Z", "deleted_at": null, "sha1_hash": "becf5ad08aae7de2c31996dbe6515852775593ee", "title": "WMI Malware: The Complete Forensics Guide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 361308, "plain_text": "WMI Malware: The Complete Forensics Guide\r\nBy Alex Detmering\r\nPublished: 2025-02-20 · Archived: 2026-04-05 19:13:45 UTC\r\nAttackers can use WMI malware for just about anything. Execution, persistence, lateral movement… honestly, the\r\nlist goes on. Fortunately for you, there are blogs like these that will help you understand exactly how bad guys\r\nuse WMI.\r\nAnd exactly how good guys – AKA you – can stop them.\r\nNow let’s get to it.\r\nJump to…\r\nIntroduction to WMI Malware\r\nHow Attackers Use WMI Malware\r\nReal-World Attacks\r\n4 WMI Malware Detection Techniques\r\nFind WMI Malware Easily\r\nIntroduction to WMI Malware\r\nWindows Management Instrumentation (WMI) is a Microsoft framework for system management that doubles as\r\na versatile tool for bad actors. As DFIR expert Chris Ray explains, “WMI activity is important to review for\r\nmalicious behavior due to its wide abuse by threat actors. It provides an easy way for threat actors to create\r\nprocesses, tamper with system settings, and perform system recon all without needing to bring in additional tools.”\r\nWhy it’s dangerous:\r\nStandard Windows feature so threat actors can blend in.\r\nEnables “fileless” persistence, making file-based scanning useless.\r\nAllows threat actors to be less reliant on external tools.\r\nHow attackers access it: \r\nPowerShell\r\nCommand prompt\r\nVarious programming interfaces\r\nUse in the attack life cycle:\r\nExecution\r\nDiscovery\r\nDefense evasion\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 1 of 12\n\nImpact\r\nPersistence\r\nNow, let’s take a closer look at each of these.\r\nGet Technical on WMI\r\nWant to learn more about the technical details of WMI? Here are a few resources we recommend:\r\nFireEye: WMI Forensics Whitepaper.\r\n0xInfection: Offensive WMI series.\r\nHow Attackers Use WMI Malware\r\nBelow are examples of how attackers use WMI malware at each stage of the attack lifecycle.\r\nThese examples are useful to investigators for 2 reasons:\r\n1. Knowing what to look for and build detection rules off of\r\n2. For running the commands to test out detection rules and look for other artifacts left behind\r\nThe examples include multiple ways to do the same thing, so that investigators can make better detection rules\r\nthat don’t just look at WMI, for example.\r\nWMI for Execution\r\nAttackers Can Create a Process Locally\r\nExamples:\r\nInvoke-CimMethod -ClassName win32_process -MethodName create -Arguments\r\n@{commandline=”notepad.exe”}\r\nInvoke-WmiMethod -Class win32_process -name create -Argumentlist “notepad.exe”\r\nwmic process call create “notepad.exe”\r\nAttackers Can Create a Process Remotely\r\nExamples:\r\nInvoke-CimMethod -ComputerName blocker -ClassName win32_process -MethodName create -\r\nArguments @{commandline=”notepad.exe”}\r\nInvoke-WmiMethod -ComputerName blocker -Class win32_process -name create -Argumentlist\r\n“notepad.exe”\r\nWmic /node: blocker process call create “notepad.exe”\r\nAttackers Can Create Services Locally\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 2 of 12\n\nExamples:\r\nInvoke-CimMethod -ClassName Win32_Service -MethodName Create -Arguments @{\r\nName = \"Service name\"\r\nDisplayName = \"Service display name\"\r\nPathName = \"%comspec% ping google.com\"\r\nStartMode = \"Automatic\"\r\nStartName = \"LocalSystem\"\r\n}\r\nWmic service call create displayname=”service display name” pathname=”ping google.com”\r\nname=”Service name” startmode=”automatic”\r\nAttackers Can Create Services Remotely\r\nExamples:\r\nInvoke-CimMethod -ComputerName blocker -ClassName Win32_Service -MethodName Create -Arguments @{\r\nName = \"Service name\"\r\nDisplayName = \"Service display name\"\r\nPathName = \"%comspec% ping google.com\"\r\nStartMode = \"Automatic\"\r\nStartName = \"LocalSystem\"\r\n}\r\nWmic /node:blocker  service call create displayname=”service display name” pathname=”ping\r\ngoogle.com” name=”Service name” startmode=”automatic”\r\nAttackers can use WMI to initiate new processes on both local and remote systems via the create method for:\r\nWin32_Process\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 3 of 12\n\nWin32_Service\r\nWin32_ScheduledJob\r\nThe WMIExec.py script is a commonly abused script that uses Win32_Process for remote process creation.\r\nWMI for Discovery\r\nAttackers Can List Directory Content Remotely\r\nExamples:\r\nGet-CimInstance -ClassName CIM_DataFile -ComputerName blocker -Filter “Drive = ‘C:’ AND Path\r\n= ‘\\\\users\\\\public\\\\'”\r\nGet-WmiObject -Class CIM_DataFile -ComputerName blocker -Filter  “Drive = ‘C:’ AND Path =\r\n‘\\\\users\\\\public\\\\'”\r\nWmic datafile where “Drive = ‘C:’ AND Path = ‘\\\\users\\\\public\\\\'”\r\nWMI lateral example.\r\nAttackers Can Check Installed Patches\r\nExamples:\r\nGet-CimInstance -ClassName Win32_QuickFixEngineering\r\nGet-WmiObject -Class Win32_QuickFixEngineering\r\nWmic qfe\r\nWMI_patch level example.\r\nAttackers Can View AV Software\r\nExamples:\r\nGet-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct\r\nGet-WmiObject -Namespace root/SecurityCenter2 -Class AntiVirusProduct\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 4 of 12\n\nWMI AV product example.\r\nAttackers Can View Running Processes\r\nExamples:\r\nGet-CimInstance -ClassName win32_process -Filter “Name=’lsass.exe'”\r\nGet-WmiObject -Class win32_process -Filter “Name=’lsass.exe'”\r\nWmic process where “name=’lsass.exe'”\r\nWMI Process LSASS example.\r\nAttackers Can View Active Services\r\nExamples:\r\nGet-CimInstance -ClassName Win32_Service -Filter “Name=’windefend'”\r\nGet-WmiObject -Class win32_Service -Filter “Name=’windefend'”\r\nWmic service where “name=’windefend'”\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 5 of 12\n\nWMI Service Defender example.\r\nAttackers can use WMI to collect a wide range of system data, both locally and remotely.\r\nThis includes: \r\nChecking installed antivirus software via the AntiVirusProduct class.\r\nTracking Windows updates and patches via the Win32_QuickFixEngineering class.\r\nListing active processes/services via the Win32_Process and Win32_Service classes.\r\nListing content of directories via the CIM_DataFile class.\r\nWMI for Defense Evasion\r\nAttackers Can Disable Firewall\r\nExamples:\r\nGet-CimInstance -Namespace “root/StandardCimv2” -ClassName MSFT_NetFirewallProfile |\r\nForEach-Object { $_.Enabled = $false; $_ | Set-CimInstance }\r\nGet-WmiObject -Namespace “root\\StandardCimv2” -Class MSFT_NetFirewallProfile | ForEach-Object { $_.Enabled = $false; $_.Put() }\r\nAttackers Can Disable Critical Services\r\nExamples:\r\nGet-CimInstance -ClassName Win32_Service -Filter “Name=’eventlog'” | ForEach-Object {\r\n$_.StopService(); $_.ChangeStartMode(‘Disabled’) }\r\nGet-WmiObject -Class Win32_Service -Filter “Name=’eventlog'” | ForEach-Object { $_.StopService();\r\n$_.ChangeStartMode(‘Disabled’) }\r\nWmic service where name=eventlog call ChangeStartMode Disabled\r\nAttackers Can Clear Event Logs\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 6 of 12\n\nExamples:\r\nGet-CimInstance -ClassName Win32_NTEventlogFile -Filter “LogFileName=’Application'” | Invoke-CimMethod -MethodName ClearEventlog\r\nGet-WmiObject -Class Win32_NTEventLogFile -Filter “LogFileName=’Application'”| ForEach-Object { $_.ClearEventLog() }\r\nWmic nteventlog where “LogfileName=’Application'” call ClearEventLog\r\nAttackers Can Avoid Sandbox Analysis\r\nExamples:\r\nGet-CimInstance -ClassName Win32_ComputerSystem | fl *\r\nGet-WmiObject -Class win32_computersystem | fl *\r\nWmic computersystem\r\nWMI virtual example.\r\nAttackers can use WMI to tamper with system logs and critical services and evade detection.\r\nThis includes: \r\nDisable Windows Firewalls via MSFT_NetFirewallProfile.\r\nDisable critical Windows services via  Win32_Service.\r\nClearing event logs via NTEventLogFile class.\r\nChecking for virtualization/sandboxing via Win32_computersystem class.\r\nWMI for Impact\r\nAttackers Can Block System Recovery\r\nExamples:\r\nGet-CimInstance -ClassName Win32_ShadowCopy | Remove-CimInstance\r\nGet-WmiObject -Class Win32_ShadowCopy | ForEach-Object { $_.Delete() }\r\nWmic shadowcopy delete\r\nAttackers Can Force System Reboot\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 7 of 12\n\nExamples:\r\nGet-CimInstance -ClassName Win32_OperatingSystem | Invoke-CimMethod -MethodName reboot\r\n(Get-WmiObject -Class Win32_OperatingSystem).Win32Shutdown(6)\r\nWmic os where Primary=’TRUE’ call Win32Shutdown 6\r\nAttackers can use WMI to disrupt system recovery and force reboots or shutdowns.\r\nHere’s how: \r\nWin32_ShadowCopy class can be used to delete volume shadow copies, inhibiting system recovery.\r\nWin32_OperatingSystem class methods can force restarts/shutdown.\r\nThese tactics are often used in ransomware attacks to make recovery harder or in stealthy intrusions to cover their\r\ntracks.\r\nWMI for Persistence\r\nAttackers Can Create WMI Consumers\r\nFor examples and more on WMI Consumers for persistence, read:\r\nHow to Investigate Malware WMI Event Consumers 2025.\r\nHow to Find WMI Consumers: Complete Forensic Analysis Guide.\r\nAttackers Can Create Services\r\nSee the execution section for examples.\r\nAttackers Can Create Autorun Keys\r\nWMI persistence with autorun example.\r\nAttackers can use WMI to set up persistence mechanisms.\r\nThis includes: \r\nCreating persistent consumers (similar to scheduled tasks).\r\nCreating services via the Win32_Service Create method.\r\nChanging registry autorun keys via stdRegProv methods.\r\nA tool called WMIPersis.py simplifies this process by automating event consumer-based persistence.\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 8 of 12\n\nReal-World Attacks\r\nShrinkLocker Ransomware\r\nWhere WMI Was Used\r\nWin32_ComputerSystem\r\nUsed to check the computer’s domain so it can\r\nbail out if the computer is not the intended target.\r\nPerform a system restart when needed.\r\nWin32_OperatingSystem\r\nCheck the OS version. If running on an older\r\nsystem (Windows XP and 2000), it deletes itself\r\nand exits.\r\nWin32_OptionalFeature Used to check if BitLocker is installed.\r\nStdRegProv\r\nUsed to create registry keys (related to\r\nBitLocker).\r\nWin32_PerfRawData_Tcpip_NetworkInterface\r\nData returned was used to help generate a\r\nrandom BitLocker password for encryption.\r\nWin32_Service\r\nChecks to see if BitLocker service is running. If\r\nnot, then WMI was used to start the service\r\nbefore the encryption takes place.\r\nWin32_Volume\r\nUsed to determine the drive letter for the drive\r\nthe OS is installed on.\r\nWin32_EncryptableVolume Used to check if the disk has been encrypted.\r\nKeep reading about this case\r\nBlue Mockingbird Cryptominer\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 9 of 12\n\nWhere WMI Was Used\r\nCreate persistence via\r\nCOR_PROFILER\r\nUsed WMIC ENVIRONMENT to create a new system-wide\r\nenvironment variable.\r\nKeep reading about this case\r\nMetador\r\nWhere WMI Was Used\r\nWMI persistence via WMI\r\npersistent consumers\r\nUsed the CommandLineEventConsumer class to execute a lolbin\r\ncbd.exe 5-6 minutes after the system boots up.\r\nKeep reading about this case\r\n4 WMI Malware Detection Techniques\r\n#1 Monitor for WMI Consumer Persistence\r\nWhy Threat actors use WMI consumers for persistence.\r\nWhere\r\nWMI Database\r\nEDR Telemetry\r\nSysmon logs (events 19, 20, 21)\r\nMicrosoft-Windows-WMI-Activity/Operational log (event 4861)\r\nWhat to\r\nlook for\r\n_FilterToConsumerBinding, __EventFilter, __EventConsumer  instances outside of\r\nthe default root\\subscription namespace.\r\nAny consumer class not one of the 5 standard consumers.\r\nInstances of ActiveScriptEventConsumer and CommandLineEventConsumer that\r\nlaunch suspicious scripts/processes.\r\n#2 Monitor for Unusual Children of Scrcons.exe\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 10 of 12\n\nWhy\r\nScrcons.exe is the exe responsible for implementing actions defined by\r\nActiveScriptEventConsumer instances. As a result, reviewing the children of scrcons.exe\r\ncan help find malicious activity executed by WMI persistence.\r\nWhere\r\nAnywhere you get process execution history. Some examples are:\r\nSecurity log (event 4688)\r\nSysmon logs (event 1)\r\nEDR Telemetry\r\nWhat to\r\nlook for\r\nAny unusual child processes of scrcons.exe such as powershell.exe, pwsh.exe, cmd.exe,\r\ndllhost.exe, etc… Sigma rules already exist to capture some of this activity, such as this\r\nrule.\r\n#3 Monitor for Unusual Children of Wmiprvse.exe\r\nWhy\r\nWhen WMI is used for remote execution the processes will be children of\r\nWmiPrvse.exe.\r\nWhere\r\nAnywhere you get process execution history. Some examples are:\r\nSecurity log  (event 4688)\r\nSysmon logs (event 1)\r\nEDR Telemetry\r\nWhat to\r\nlook for\r\nAny unusual child processes such as: powershell.exe, cmd.exe, pwsh.exe, reg.exe,\r\netc… Existing rules can be used as a starting point such as this rule.\r\n#4 Monitor Process History for Unusual Usage of WMI Commands\r\nWhy\r\nReviewing process command line history allows defenders to find malicious uses of\r\nWMI that have been initiated from wmic.exe or powershells.\r\nWhere\r\nAnywhere you get process execution history. Some examples are:\r\nSecurity log  (event 4688)\r\nSysmon logs (event 1)\r\nEDR Telemetry\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 11 of 12\n\nWhat to\r\nlook for\r\nProcess of wmic.exe, cmd.exe, powershell.exe, pwsh.exe\r\nCommandline containing interesting WMI methods like the ones we previously\r\ndiscussed.\r\nEx. win32_process and call (create a process)\r\nEx. Win32_ShadowCopy and delete (delete a shadowcopy)\r\nEx. Win32_NTEventlogFile  and ClearEventlog (clear windows event log)\r\nFind WMI Malware Easily\r\nIt’s important for investigators to understand the fundamentals of WMI, the technical details and classic strategies\r\naren’t really required anymore. Once you understand the basics, investigators should focus on the big picture of an\r\ninvestigation.\r\nAnd it’s the job of software to take care of the rest.\r\nCyber Triage is just such software. Cyber Triage automates the collection of all the artifacts (like WMI)\r\ninvestigators need and scores them according to how suspicious they are using Automated Analysis.\r\nIt radically speeds up (and improves the accuracy) of investigations.\r\nTry it today!\r\nSource: https://www.cybertriage.com/blog/wmi-malware/\r\nhttps://www.cybertriage.com/blog/wmi-malware/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cybertriage.com/blog/wmi-malware/" ], "report_names": [ "wmi-malware" ], "threat_actors": [ { "id": "e568e9d7-ae94-4ce5-9039-4fd17c731c1d", "created_at": "2022-10-25T15:50:23.491763Z", "updated_at": "2026-04-10T02:00:05.342897Z", "deleted_at": null, "main_name": "Blue Mockingbird", "aliases": [ "Blue Mockingbird" ], "source_name": "MITRE:Blue Mockingbird", "tools": [ "FRP", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "ba626326-d049-472c-ba57-b64943d96dc2", "created_at": "2023-11-05T02:00:08.075744Z", "updated_at": "2026-04-10T02:00:03.398399Z", "deleted_at": null, "main_name": "Metador", "aliases": [], "source_name": "MISPGALAXY:Metador", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "afa52232-4252-4c67-ac65-6e60eb113fde", "created_at": "2023-04-26T02:03:03.138144Z", "updated_at": "2026-04-10T02:00:05.366656Z", "deleted_at": null, "main_name": "Metador", "aliases": [ "Metador" ], "source_name": "MITRE:Metador", "tools": [ "metaMain", "Mafalda" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775792239, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/becf5ad08aae7de2c31996dbe6515852775593ee.pdf", "text": "https://archive.orkl.eu/becf5ad08aae7de2c31996dbe6515852775593ee.txt", "img": "https://archive.orkl.eu/becf5ad08aae7de2c31996dbe6515852775593ee.jpg" } }