Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
Attacker's Goals
Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.
Investigative actions
- Examine the process that executed the WMI query and verify that the process is from a trusted source.
- Inspect the system for suspicious activity that is related to that process.