Adversaries may use a command shell wrapper for WMI to execute arbitrary commands while evading traditional command-line detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics that could lead to deeper compromise.
YARA Rule
rule hacktool_windows_ncc_wmicmd : FILE {
meta:
description = "Command shell wrapper for WMI"
reference = "https://github.com/nccgroup/WMIcmd"
author = "@mimeframe"
id = "16f616e2-120c-5067-b083-957f49cb0baa"
strings:
$a1 = "Need to specify a username, domain and password for non local connections" wide ascii
$a2 = "WS-Management is running on the remote host" wide ascii
$a3 = "firewall (if enabled) allows connections" wide ascii
$a4 = "WARNING: Didn't see stdout output finished marker - output may be truncated" wide ascii
$a5 = "Command sleep in milliseconds - increase if getting truncated output" wide ascii
$b1 = "0x800706BA" wide ascii
$b2 = "NTLMDOMAIN:" wide ascii
$b3 = "cimv2" wide ascii
condition:
any of ($a*) or all of ($b*)
}This YARA rule can be deployed in the following contexts:
This rule contains 8 string patterns in its detection logic.
Scenario: Scheduled job using wbemtest for system diagnostics
Description: A system administrator uses wbemtest (a built-in Windows tool) to query WMI for system health checks as part of a scheduled maintenance task.
Filter/Exclusion: Check for wbemtest.exe in the process name or filter by user account (e.g., DOMAIN\Administrator or SYSTEM).
Scenario: PowerShell script using Get-WmiObject for inventory reporting
Description: A legitimate PowerShell script runs Get-WmiObject to collect hardware and software inventory data for compliance reporting.
Filter/Exclusion: Filter by script name or path (e.g., C:\Scripts\InventoryReport.ps1) or check for PowerShell.exe with known benign command lines.
Scenario: Admin task using wmic to manage services
Description: An administrator uses the wmic command-line tool to stop or start services as part of routine system management.
Filter/Exclusion: Filter by process name wmic.exe or check for known admin tasks (e.g., StopService or StartService commands).
Scenario: Remote WMI management via winrm for patching
Description: A patch management tool uses winrm to remotely execute WMI-based commands across a domain to apply updates.
Filter/Exclusion: Filter by source IP or domain controller IP, or check for known patching tools (e.g., Microsoft Patch Management).
Scenario: Legacy application using WMI for data retrieval
Description: A legacy enterprise application uses WMI to retrieve system information (e.g., CPU usage, disk space) as part of its normal operation.
Filter/Exclusion: Filter by application name or process