```yaml title: WMI Remote Process Execution via Native Binaries id: edr-win-lat-wmic-remote-node status: stable description: > Detects remote process execution via native Windows WMI binaries targeting remote hosts with the Win32_Process Create method. Covers wmic.exe /node: process call create and the PowerShell Invoke-WmiMethod / Invoke-CimMethod -ComputerName equivalents. Distinct from Impacket's wmiexec which uses a Python-based client; this rule targets native binary abuse. Observed in Akira, Play, LockBit, Fog, and Scattered Spider intrusions. references: - https://attack.mitre.org/techniques/T1047/ - https://attack.mitre.org/techniques/T1021/006/ author: ShroudCloud date: 2026/04/16 tags: - attack.lateral_movement - attack.execution - attack.t1047 - attack.t1021.006 logsource: category: process_creation product: windows detection: selection_wmic: Image|endswith: '\wmic.exe' CommandLine|contains|all: - '/node:' - 'process' - 'call' - 'create' selection_powershell_wmi: Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' CommandLine|contains|all: - 'Invoke-WmiMethod' - '-ComputerName' - 'Win32_Process' - 'Create' selection_powershell_cim: Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' CommandLine|contains|all: - 'Invoke-CimMethod' - '-ComputerName' - 'Win32_Process' - 'Create' condition: selection_wmic or selection_powershell_wmi or selection_powershell_cim falsepositives: - Legitimate remote administration scripts run by admin accounts against known inventory - Rare SCCM/configuration management workflows using direct wmic level: high ```