wmic

Item	Source Host	Destination Host
OS	Windows
Belonging to Domain	Not required
Rights	Standard user	Administrator
Communication Protocol	135/tcp, 445/tcp, a randomly selected TCP port 1024 or higher

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. CommandLine: Command line of the execution command (wmic /NODE:"[Destination]" [Process]) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) User: Execute as user ([Domain]\[Administrator])
2	Security	4689	Process Termination	A process has exited. Log Date and Time: Process terminated date and time (local time) Process Information > Exit Status: Process return value (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Process Name: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe)
3	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination port: 135)

#	Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination port: 135) DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
2	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe) CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding) ParentCommandLine: Command line of the parent process (C:\Windows\System32\svchost.exe -k DcomLaunch) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process CurrentDirectory: Work directory CommandLine: Command line of the execution command (wmic /NODE:"[Destination]" [Process]) IntegrityLevel: Privilege level (High) ParentCommandLine: Command line of the parent process UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user ([Domain]\[Administrator]) Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe)
1	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Source Process Name: Path to parent process that created the new process Log Date and Time: Process execution date and time (local time) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
2	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\USER\[User SID]\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap)
3	Security	4703	Token Right Adjusted Events	A token right was adjusted. Disabled Privileges: Disabled privileges (-) Target Account > Security ID/Account Name/Account Domain: Target user SID/Account name/Domain Target Account > Logon ID: Session ID of the target user Enabled Privileges: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process Process Information > Process ID: ID of the executed process Process Information > Process Name: Name of the executed process (C:\Windows\System32\wbem\WMIC.exe)
	Security	4674	Sensitive Privilege Use	An operation was attempted on a privileged object. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Name of the object to be processed (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters) Object > Object Server: Service that executed the process (Security) Requested operation > Special Privileges: Requested privileges (SeTakeOwnershipPrivilege) Process Information > Process Name: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) Object > Object Type: Type of the object to be processed (Key) Subject > Logon ID: Session ID of the user who executed the process
	Security	4674	Sensitive Privilege Use	An operation was attempted on a privileged object. Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Name of the object to be processed (-) Object > Object Server: Service that executed the process (Security) Requested operation > Special Privileges: Requested privileges (SeTakeOwnershipPrivilege) Process Information > Process Name: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) Object > Object Type: Type of the object to be processed (-) Subject > Logon ID: Session ID of the user who executed the process
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) DestinationPort: Destination port number (135) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (135) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
5	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (C:\Windows\System32\wbem\lsass.exe) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (88) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (88) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
6	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (destination host IP address) Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) DestinationHostname: Destination host name (destination host name) ProcessGuid/ProcessId: Process ID User: Execute as user ([Domain]\[User Name]) DestinationPort: Destination port number (high port) SourcePort: Source port number (high port) SourceHostname: Source host name (source host name) SourceIp: Source IP address (source host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\wbem\wmic.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (destination host) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (source host) Application Information > Process ID: Process ID
7	Microsoft-Windows-Sysmon/Operational	5	Process terminated (rule: ProcessTerminate)	Process terminated. UtcTime: Process terminated date and time (UTC) ProcessGuid/ProcessId: Process ID Image: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe)
7	Security	4689	Process Termination	A process has exited. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Process Information > Exit Status: Process return value (0x0) Log Date and Time: Process terminated date and time (local time) Process Information > Process Name: Path to the executable file (C:\Windows\System32\wbem\WMIC.exe) Subject > Logon ID: Session ID of the user who executed the process
8	Microsoft-Windows-Sysmon/Operational	11	File created (rule: FileCreate)	File created. Image: Path to the executable file (C:\Windows\System32\svchost.exe) ProcessGuid/ProcessId: Process ID TargetFilename: Created file (C:\Windows\Prefetch\WMIC.EXE-[RANDOM].pf) CreationUtcTime: File creation date and time (UTC)
	Security	4656	File System/Other Object Access Events	A handle to an object was requested. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData) Object > Object Name: Target file name (C:\Windows\Prefetch\WMIC.EXE-[RANDOM].pf) Subject > Account Name: Name of the account　that executed the tool ([Source Host Name]$) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Object > Object Type: Type of the file (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle
	Security	4663	File System	An attempt was made to access an object. Process Information > Process ID: Process ID (hexadecimal) Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (WriteData or AddFile, AppendData) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Object > Object Name: Target file name (C:\Windows\Prefetch\WMIC.EXE-[RANDOM].pf) Audit Success: Success or failure (access successful) Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe) Object > Object Type: Category of the target (File) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
	Security	4658	File System	The handle to an object was closed. Process Information > Process ID: Process ID (hexadecimal) Subject > Account Name: Name of the account that executed the tool (source host name) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

#	File Name	Process	Attribute
1	WMIC.EXE-[RANDOM].pf	FILE_CREATE	archive+not_indexed
	WMIC.EXE-[RANDOM].pf	DATA_EXTEND+FILE_CREATE	archive+not_indexed
	WMIC.EXE-[RANDOM].pf	CLOSE+DATA_EXTEND+FILE_CREATE	archive+not_indexed

- MFT

#	Path	Header Flag	Validity
1	[Drive Name]:\Windows\Prefetch\WMIC.EXE-[RANDOM].pf	FILE	ALLOCATED

- Prefetch

#	Prefetch File	Process Name	Process Path	Information That Can Be Confirmed
1	C:\Windows\Prefetch\WMIC.EXE-[RANDOM].pf	WMIC.EXE	C:\WINDOWS\SYSTEM32\WBEM\WMIC.EXE	Last Run Time (last execution date and time)

- Event Log

#	Event Log	Event ID	Task Category	Event Details
1	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) DestinationPort: Destination port number (high port) SourcePort: Source port number (135) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
1	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (135) Network Information > Destination Address: Destination IP address (source host IP address) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (destination host IP address) Application Information > Process ID: Process ID
2	Security	4672	Special Logon	Privileges assigned to a new logon. Privileges: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool Subject > Logon ID: Session ID of the user who executed the process
2	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) (0x0) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Package Name (NTLM only): NTLM version (-) Detailed Authentication Information > Logon Process: Process used for logon (Kerberos) Network Information > Source Port: Source port number (high port) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on Logon Type: Logon path, method, etc. (3=Network) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file (-) Detailed Authentication Information > Authentication Package: Authentication package used (Kerberos) Network Information > Source Network Address: IP address that requested the logon (source host IP address) Subject > Logon ID: Session ID of the user who executed the authentication
3	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (Domain Controller IP address) Image: Path to the executable file (C:\Windows\System32\lsass.exe) DestinationHostname: Destination host name (Domain Controller host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (88) SourcePort: Source port number (high port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
	Security	5158	Filtering Platform Connection	The Windows Filtering Platform has permitted a bind to a local port. Network Information > Protocol: Protocol used (6=TCP) Network Information > Source Port: Bind local port (high port) Application Information > Process ID: Process ID Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (88) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (Domain Controller IP address) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe) Network Information > Direction: Communication direction (outbound) Network Information > Source Address: Source IP address (destination host IP address) Application Information > Process ID: Process ID
4	Microsoft-Windows-Sysmon/Operational	3	Network connection detected (rule: NetworkConnect)	Network connection detected. Protocol: Protocol (tcp) DestinationIp: Destination IP address (source host IP address) Image: Path to the executable file (C:\Windows\System32\svchost.exe) DestinationHostname: Destination host name (source host name) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\SYSTEM) DestinationPort: Destination port number (high port) SourcePort: Source port number (high port) SourceHostname: Source host name (destination host name) SourceIp: Source IP address (destination host IP address)
4	Security	5156	Filtering Platform Connection	The Windows Filtering Platform has allowed a connection. Network Information > Destination Port: Destination port number (high port) Network Information > Source Port: Source port number (high port) Network Information > Destination Address: Destination IP address (source host IP address) Network Information > Protocol: Protocol used (6=TCP) Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe) Network Information > Direction: Communication direction (inbound) Network Information > Source Address: Source IP address (destination host IP address) Application Information > Process ID: Process ID
5	Security	4624	Logon	An account was successfully logged on. Process Information > Process ID: Process ID (hexadecimal) Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Target Host Name]/[Domain]) New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on Detailed Authentication Information > Package Name (NTLM only): NTLM version (-) Detailed Authentication Information > Logon Process: Process used for logon (Advapi) Network Information > Source Port: Source port number (-) New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on ([NETWORK SERVICE]/[NETWORK SERVICE]/[NT AUTHORITY]) Logon Type: Logon path, method, etc. (5=Service) Network Information > Workstation Name: Name of the host that requested the logon Detailed Authentication Information > Key Length: Length of the key used for the authentication (0) Process Information > Process Name: Path to the executable file (C:\Windows\System32\svchost.exe) Detailed Authentication Information > Authentication Package: Authentication package used (Negotiate) Network Information > Source Network Address: IP address that requested the logon (-) Subject > Logon ID: Session ID of the user who executed the authentication
6	Microsoft-Windows-Sysmon/Operational	1	Process Create (rule: ProcessCreate)	Process Create. LogonGuid/LogonId: ID of the logon session ParentProcessGuid/ParentProcessId: Process ID of the parent process ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe) CurrentDirectory: Work directory CommandLine: Command line of the execution command (C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding) IntegrityLevel: Privilege level (System) ParentCommandLine: Command line of the parent process (C:\Windows\System32\svchost.exe -k DcomLaunch) UtcTime: Process execution date and time (UTC) ProcessGuid/ProcessId: Process ID User: Execute as user (NT AUTHORITY\NETWORK SERVICE) Hashes: Hash value of the executable file Image: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe)
6	Security	4688	Process Create	A new process has been created. Process Information > Required Label: Necessity of privilege escalation Process Information > Source Process Name: Path to parent process that created the new process Subject > Account Name: Name of the account that executed the tool (destination host name) Log Date and Time: Process execution date and time (local time) Subject > Account Domain: Domain to which the account belongs (domain) Process Information > New Process Name: Path to the executable file (C:\Windows\System32\wbem\WmiPrvSE.exe) Process Information > Token Escalation Type: Presence of privilege escalation (1) Process Information > New Process ID: Process ID (hexadecimal) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7 Subject > Logon ID: Session ID of the user who executed the process
7	Microsoft-Windows-Sysmon/Operational	12	Registry object added or deleted (rule: RegistryEvent)	Registry object added or deleted. EventType: Process type (CreateKey) Image: Path to the executable file (C:\Windows\system32\wbem\wmiprvse.exe) ProcessGuid/ProcessId: Process ID TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SOFTWARE\Microsoft\WBEM)
8	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\smss.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\csrss.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\wininit.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\winlogon.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\services.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\lsass.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\lsm.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\svchost.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\spoolsv.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\taskhost.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\Dwm.exe)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\Explorer.EXE)
	Microsoft-Windows-Sysmon/Operational	10	Process accessed (rule: ProcessAccess)	Process accessed. SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID TargetProcessGUID/TargetProcessId: Process ID of the access destination process GrantedAccess: Details of the granted access (0x1410) SourceImage: Path to the access source process (C:\Windows\system32\wbem\wmiprvse.exe) TargetImage: Path to the access destination process (C:\Windows\System32\SearchIndexer.exe)
9	Security	4611	Security System Extension	A trusted logon process has been registered with the Local Security Authority. A logon request was sent by this logon process. Subject > Account Name: Account name (destination host name) Logon Process Name: Name of the process that logged on (ConsentUI) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Account Domain: Domain (Domain) Subject > Logon ID: Session ID of the user who executed the process
	Security	4673	Sensitive Privilege Use	A privileged service was called. Service Request Information > Privilege: Privileges used (SeTcbPrivilege) Subject > Account Name: Name of the account that executed the tool (destination host name) Subject > Account Domain: Domain to which the account belongs (domain) Process > Process ID: ID of the process that used the privilege Process > Process Name: Process that used the privileges (C:\Windows\System32\lsass.exe) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Logon ID: Session ID of the user who executed the process
	Security	4611	Security System Extension	A trusted logon process has been registered with the Local Security Authority. A logon request was sent by this logon process. Subject > Account Name: Account name (destination host name) Logon Process Name: Name of the process that logged on (CredProvConsent) Subject > Security ID: SID of the user who executed the tool (SYSTEM) Subject > Account Domain: Domain (Domain) Subject > Logon ID: Session ID of the user who executed the process

wmic

- Table of Contents

- Tool Overview

- Tool Operation Overview

- Information Acquired from Log

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

Prefetch

- Destination Host

Event log

- Details: Source Host

- Event Log

- USN Journal

- MFT

- Prefetch

- Details: Destination Host

- Event Log