DET0364: Behavioral Detection Strategy for WMI Execution Abuse on Windows
DET0364 is a detection strategy object for abuse of Windows Management Instrumentation (WMI) execution behavior. Its business value is in validating whethe...
Analyst context for executives and security teams
DET0364 is a detection strategy object for abuse of Windows Management Instrumentation (WMI) execution behavior. Its business value is in validating whether security teams can recognize when a legitimate Windows administration capability is being used to run commands or payloads in a way that may support intrusion activity. Because the supplied ATT&CK object has no official description or detection logic, teams should treat it as a prompt to assess coverage around the related ATT&CK technique T1047 rather than as a complete analytic.
Executive priority
Prioritize this as a Windows execution and administration-abuse coverage question: can the organization distinguish expected WMI management activity from suspicious command or payload execution? This matters for incident response speed, SOC visibility, and audit evidence around endpoint monitoring. Leaders should ask whether WMI activity is logged, retained, reviewed, and correlated with identity, endpoint, and remote administration context before assuming coverage exists.
Technical view
This detection strategy is related to ATT&CK T1047, Windows Management Instrumentation, under the Execution tactic and Windows platform. SOC and detection engineering teams should validate telemetry for WMI-driven process execution, local versus remote WMI use, parent-child process relationships, user/account context, host context, and command-line details where available. Because no official detection text is supplied for DET0364, implementation should be based on local baselining and the related technique context, not on a prescribed MITRE analytic.
Likely telemetry
- Windows endpoint process creation events, including parent-child relationships
- Command-line arguments for WMI-related execution where collected
- WMI activity logs or provider/consumer activity where enabled
- Authentication and account context for local or remote administrative activity
- Remote service or management activity correlated to source and destination hosts
Detection direction
- Validate that WMI-driven execution can be observed on Windows endpoints, especially where remote administration is permitted.
- Baseline legitimate administrative WMI use by IT tools, service accounts, and management servers to reduce false positives.
- Correlate WMI execution with unusual accounts, unexpected source hosts, abnormal timing, suspicious command lines, or downstream process creation.
- Check for blind spots where endpoint logging, command-line capture, WMI logging, or EDR coverage is incomplete.
- Use the relationship to T1047 as the analytic anchor; DET0364 itself does not provide official detection logic in the supplied fields.
Mitigation priorities
- Inventory legitimate WMI administrative use and restrict it to approved accounts, hosts, and management paths where feasible.
- Ensure Windows endpoint telemetry is enabled and retained long enough to support investigation.
- Apply least-privilege controls to administrative accounts and service accounts that can use WMI remotely.
- Review remote administration exposure and align monitoring with incident response playbooks.
- Document monitoring assumptions and gaps for compliance readiness and executive risk acceptance.
Analyst notes and limits
The object is a detection strategy, not a technique. The only substantive behavioral context supplied is its relationship to T1047 Windows Management Instrumentation, which is an Execution technique on Windows. The ATT&CK object itself does not include official description, platform, tactic, or detection text, so any production analytic should be validated against local Windows administration patterns.
This take is limited to the supplied STIX fields, the MITRE external reference, and the relationship to T1047. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local telemetry availability, logging configuration, administrative tooling, and account architecture determine practical detection quality.
Behavioral Detection Strategy for WMI Execution Abuse on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | This object detects Windows Management Instrumentation. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fdcd7c7a71a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0364Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.