WMI Module Load#


Adversaries might be leveraging WMI modules to execute WMI tasks bypassing controls monitoring for wmiprvse.exe or wmiapsrv.exe activity

Technical Context#

WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM). Both standards aim to provide an industry-agnostic means of collecting and transmitting information related to any managed component in an enterprise. An example of a managed component in WMI would be a running process, registry key, installed service, file information, etc. At a high level, Microsoft’s implementation of these standards can be summarized as follows > Managed Components Managed components are represented as WMI objects — class instances representing highly structured operating system data. Microsoft provides a wealth of WMI objects that communicate information related to the operating system. E.g. Win32_Process, Win32_Service, AntiVirusProduct, Win32_StartupCommand, etc. WMI modules loaded by legit processes such as wmiprvse.exe or wmiapsrv.exe are the following

C:\Windows\System32\wmiclnt.dll C:\Windows\System32\wbem\WmiApRpl.dll C:\Windows\System32\wbem\wmiprov.dll C:\Windows\System32\wbem\wmiutils.dll

Offensive Tradecraft#

Adversaries could leverage the WMI modules above to execute WMI tasks bypassing controls looking for wmiprvse.exe or wmiapsrv.exe activity.

Pre-Recorded Security Datasets#







Download Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = 'https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/empire_psinject_PEinjection.zip'
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read Dataset#

import pandas as pd
from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)


A few initial ideas to explore your data and validate your detection logic:

Analytic I#

Look for processes (non wmiprvse.exe or WmiApSrv.exe) loading wmi modules.

Data source

Event Provider





Process loaded Dll



SELECT `@timestamp`, Hostname, Image, ImageLoaded
FROM dataTable
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 7
    AND (
        lower(ImageLoaded) LIKE "%wmiclnt.dll"
        OR lower(ImageLoaded) LIKE "%WmiApRpl.dll"
        OR lower(ImageLoaded) LIKE "%wmiprov.dll"
        OR lower(ImageLoaded) LIKE "%wmiutils.dll"
        OR lower(ImageLoaded) LIKE "%wbemcomn.dll"
        OR lower(ImageLoaded) LIKE "%WMINet_Utils.dll"
        OR lower(ImageLoaded) LIKE "%wbemsvc.dll"
        OR lower(ImageLoaded) LIKE "%fastprox.dll"
        OR lower(Description) LIKE "%wmi%"
    AND NOT (
        lower(Image) LIKE "%wmiprvse.exe"
        OR lower(Image) LIKE "%wmiapsrv.exe"
        OR lower(Image) LIKE "%svchost.exe"

Pandas Query#


[(df['Channel'] == 'Microsoft-Windows-Sysmon/Operational')
    & (df['EventID'] == 7)
    & (
      (df['ImageLoaded'].str.lower().str.endswith('wmiclnt.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wmiaprpl.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wmiprov.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wmiutils.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wbemcomn.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wminet_utils.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('wbemsvc.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.endswith('fastprox.dll', na=False))
      | (df['ImageLoaded'].str.lower().str.contains('.*wmi.*', regex=True))
    & (
      (~df['Image'].str.lower().str.endswith('wmiprvse.exe', na=False))
      & (~df['Image'].str.lower().str.endswith('wmiapsrv.exe', na=False))
      & (~df['Image'].str.lower().str.endswith('svchost.exe', na=False))

Known Bypasses#

False Positives#

Hunter Notes#

  • Stack the processes loading WMI modules and document the activity in your environment.

  • Stack child processes (if any) of non wmiprvse.exe loading wmi modules