detect-office-products-spawning-wmic

Hunt Hypothesis

Adversaries may use WMIC to execute arbitrary commands and maintain persistence within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise from advanced threats leveraging WMI for command and control.

KQL Query

// Office products spawning WMI
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe")
and FileName =~"wmic.exe"

Analytic Rule Definition

id: 2c0a068e-b30c-4e6a-928c-f05b60c43066
name: detect-office-products-spawning-wmic
description: |
  This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve.
  Windows Management Instrumentation, or WMI, is a legitimate Microsoft framework used to obtain management data and perform administrative tasks on remote devices. However, attackers can also use WMI to gather information about a target or hijack control of a device. The MITRE ATT&CK framework includes WMI among its list of common enterprise attack techniques.
  The following query detects when Microsoft Office software spawns an instance of the WMI command-line utility, wmic.exe.
  References:
  https://docs.microsoft.com/windows/win32/wmisdk/about-wmi
  https://attack.mitre.org/techniques/T1047/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  // Office products spawning WMI
  DeviceProcessEvents
  | where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe")
  and FileName =~"wmic.exe"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Execution/detect-office-products-spawning-wmic.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task Using WMIC
Description: A legitimate scheduled task runs wmic to check system health or perform updates.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: Admin Performing WMI-Based System Inventory
Description: An administrator uses wmic to gather system information during routine maintenance.
Filter/Exclusion: process.user == "Administrator" and process.command_line contains "wmic /node"
Scenario: PowerShell Script Invoking WMIC for Reporting
Description: A PowerShell script is used to generate system reports using wmic commands.
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "Invoke-Command"
Scenario: Antivirus or Endpoint Protection Scanning Using WMIC
Description: An endpoint protection tool uses wmic to query system state during a scan.
Filter/Exclusion: process.process_name contains "mpcmdrun.exe" or process.process_name contains "mcafee"
Scenario: System Configuration Tool Using WMIC for Hardware Queries
Description: A legitimate system configuration tool (e.g., devcon.exe) uses wmic to query hardware information.
Filter/Exclusion: process.process_name contains "devcon.exe" or process.process_name contains "msinfo32.exe"