Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0002 ✕ technique: T1033 ✕
Show ATT&CK heatmapUser discovery via WMI query execution Informational 3 variations
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.Variations
User discovery via WMI query execution by an unsigned process
Low overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden
User modification via WMIC query execution
Low overridden
Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden
User discovery via WMIC query execution
Informational overridden
Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden