Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
Attacker's Goals
Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.
Investigative actions
- Examine the process that executed the WMI query and verify that the process is from a trusted source.
- Inspect the system for suspicious activity that is related to that process.
Variations
User discovery via WMI query execution by an unsigned processUser modification via WMIC query execution
User discovery via WMIC query execution