Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0002 ✕ technique: T1082 ✕
Show ATT&CK heatmapSystem profiling WMI query execution Informational
Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.