Windows Management Instrumentation `T1047`

Tactic: Execution

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.

Events covered

20 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 10	ProcessAccess
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Sysmon	Event ID 17	PipeEvent (Pipe Created)
Sysmon	Event ID 18	PipeEvent (Pipe Connected)
Sysmon	Event ID 19	WmiEvent (WmiEventFilter activity detected)
Sysmon	Event ID 20	WmiEvent (WmiEventConsumer activity detected)
Sysmon	Event ID 21	WmiEvent (WmiEventConsumerToFilter activity detected)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 5145	A network share object was checked to see whether client can be granted desired access.
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender	Event ID 1121	Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

Authoring guide

Patterns shared across the 117 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (47 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	57	`contains` 40, `regex_match` 8, `match` 6, `in` 4, `ends_with` 2, `eq` 2, `starts_with` 2, `is_not_null` 1	`call`, `create`, `(?i)\s(os\|logicaldisk\|share\|cpu\|memorychip\|useraccount\|ni...`, `call` , `service`
`Image`	45	`ends_with` 40, `contains` 3, `wildcard` 2, `eq` 1, `starts_with` 1	`\wmic.exe`, `\cmd.exe`, `\powershell.exe`, `\pwsh.exe`, `\wmiprvse.exe`
`process_name`	40	`eq` 31, `in` 4, `ends_with` 2, `match` 2, `regex_match` 2	`wmic.exe`, `cmd.exe`, `powershell.exe`, `certutil.exe`, `cscript.exe`
`OriginalFileName`	38	`eq` 38	`wmic.exe`, `powershell.exe`, `pwsh.dll`, `bitsadmin.exe`, `certoc.exe`
`EventID`	23	`eq` 23	`4688`, `4104`, `1`, `10`, `4103`
`event.type`	21	`eq` 20, `ne` 1	`start`, `change`, `deletion`
`parent_process_name`	21	`eq` 14, `in` 3, `match` 2, `regex_match` 2, `ends_with` 1	`wmiprvse.exe`, `WmiPrvSE.exe`, `cmd.exe`, `(?i)(WmiPrvSE)`, `(?i)(\x5cwbem\x5cwmiprvse\.exe)`
`process.args`	13	`eq` 9, `wildcard` 3, `contains` 2, `ends_with` 1, `is_not_null` 1, `starts_with` 1	`create`, `delete`, `get`, `-format:`, `Reflection.Assembly*`
`ParentImage`	11	`ends_with` 11, `contains` 1	`\wmiprvse.exe`, `\eqnedt32.exe`, `\excel.exe`, `\msaccess.exe`, `\explorer.exe`
`ScriptBlockText`	6	`contains` 4, `in` 2, `eq` 1	`active_users` , `basic_info` , `change_user` , `win32_service` , `invoke-cimmethod`
`Type`	6	`eq` 6
`event.category`	5	`eq` 5	`process`, `library`, `driver`
`EventType`	4	`starts_with` 3, `eq` 1	`Image loaded`, `start`
`file.name`	4	`eq` 4	`wmiutils.dll`, `cmstp.exe.log`, `cscript.exe.log`, `dllhost.exe.log`, `jscript.dll`
`ImageLoaded`	3	`ends_with` 3	`\fastprox.dll`, `\wbemcomn.dll`, `\wbem\wbemcomn.dll`, `\wbemprox.dll`, `\wbemsvc.dll`

Top indicator values (760 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`OriginalFileName`	`eq`	`wmic.exe` sigmaApplication Removed Via Wmic.EXE sigmaApplication Terminated Via Wmic.EXE sigmaComputer System Reconnaissance Via Wmic.EXE sigmaHardware Model Reconnaissance Via Wmic.EXE sigmaNew Process Created Via Wmic.EXE sigmaPassword Set to Never Expire via WMI sigmaPotential Product Class Reconnaissance Via Wmic.EXE sigmaPotential Product Reconnaissance Via Wmic.EXE sigmaPotential Remote SquiblyTwo Technique Execution sigmaPotential Unquoted Service Path Reconnaissance Via Wmic.EXE sigmaPotential Windows Defender Tampering Via Wmic.EXE sigmaProcess Reconnaissance Via Wmic.EXE sigmaRDP Enable or Disable via Win32_TerminalServiceSetting WMI Class sigmaRegistry Manipulation via WMI Stdregprov sigmaService Reconnaissance Via Wmic.EXE sigmaService Started/Stopped Via Wmic.EXE sigmaService Startup Type Change Via Wmic.EXE sigmaSuspicious Autorun Registry Modified via WMI sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WMIC Execution Via Office Process sigmaSystem Disk And Volume Reconnaissance Via Wmic.EXE sigmaWindows Hotfix Updates Reconnaissance Via Wmic.EXE sigmaWMIC Remote Command Execution sigmaXSL Script Execution Via WMIC.EXE elasticPersistence via WMI Event Subscription elasticSecurity Software Discovery using WMIC elasticSuspicious WMIC XSL Script Execution elasticVolume Shadow Copy Deletion via WMIC splunkRemote Process Instantiation via WMI splunkRemote WMI Command Attempt splunkWindows WMI Process And Service List splunkWindows WMI Process Call Create splunkWindows WMI Reconnaissance Class Query	33	61
`OriginalFileName`	`eq`	`powershell.exe` sigmaPotential WMI Lateral Movement WmiPrvSE Spawned PowerShell sigmaRDP Enable or Disable via Win32_TerminalServiceSetting WMI Class sigmaSuspicious Microsoft Office Child Process elasticWindows Script Interpreter Executing Process via WMI splunkRemote Process Instantiation via WMI and PowerShell	5	120
`Image`	`ends_with`	`\wmic.exe` sigmaApplication Removed Via Wmic.EXE sigmaApplication Terminated Via Wmic.EXE sigmaBlue Mockingbird sigmaComputer System Reconnaissance Via Wmic.EXE sigmaHardware Model Reconnaissance Via Wmic.EXE sigmaHTML Help HH.EXE Suspicious Child Process sigmaNew Process Created Via Wmic.EXE sigmaPassword Set to Never Expire via WMI sigmaPotential Maze Ransomware Activity sigmaPotential Product Class Reconnaissance Via Wmic.EXE sigmaPotential Product Reconnaissance Via Wmic.EXE sigmaPotential Remote SquiblyTwo Technique Execution sigmaPotential Unquoted Service Path Reconnaissance Via Wmic.EXE sigmaPotential Windows Defender Tampering Via Wmic.EXE sigmaProcess Reconnaissance Via Wmic.EXE sigmaRDP Enable or Disable via Win32_TerminalServiceSetting WMI Class sigmaRegistry Manipulation via WMI Stdregprov sigmaService Reconnaissance Via Wmic.EXE sigmaService Started/Stopped Via Wmic.EXE sigmaService Startup Type Change Via Wmic.EXE sigmaSuspicious Autorun Registry Modified via WMI sigmaSuspicious Microsoft Office Child Process sigmaSystem Disk And Volume Reconnaissance Via Wmic.EXE sigmaWindows Hotfix Updates Reconnaissance Via Wmic.EXE sigmaWMIC Remote Command Execution sigmaXSL Script Execution Via WMIC.EXE	26	60
`Image`	`ends_with`	`\powershell.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential WMI Lateral Movement WmiPrvSE Spawned PowerShell sigmaRDP Enable or Disable via Win32_TerminalServiceSetting WMI Class sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaWMI spwaning PowerShell process - WMImplant	6	182
`Image`	`ends_with`	`\pwsh.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaPotential WMI Lateral Movement WmiPrvSE Spawned PowerShell sigmaRDP Enable or Disable via Win32_TerminalServiceSetting WMI Class sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaWMI spwaning PowerShell process - WMImplant	6	168
`Image`	`ends_with`	`\cmd.exe` sigmaBlue Mockingbird sigmaHTML Help HH.EXE Suspicious Child Process sigmaImpacket WMIexec process execution sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	5	130
`Image`	`ends_with`	`\cscript.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	73
`Image`	`ends_with`	`\mshta.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	67
`Image`	`ends_with`	`\msiexec.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	21
`Image`	`ends_with`	`\regsvr32.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	65
`Image`	`ends_with`	`\rundll32.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	95
`Image`	`ends_with`	`\wmiprvse.exe` sigmaSuspicious WmiPrvSE Child Process sigmaWMI module loaded by suspicious process sigmaWmiPrvSE Spawned A Process sigmaWmiprvse Wbemcomn DLL Hijack	4	2
`Image`	`ends_with`	`\wscript.exe` sigmaHTML Help HH.EXE Suspicious Child Process sigmaScript Event Consumer Spawning Process sigmaSuspicious Microsoft Office Child Process sigmaSuspicious WmiPrvSE Child Process	4	75
`event.type`	`eq`	`start` elasticEnumeration Command Spawned via WMIPrvSE elasticMicrosoft Build Engine Started by a System Process elasticMofcomp Activity elasticPersistence via WMI Event Subscription elasticSecurity Software Discovery using WMIC elasticService Control Spawned via Script Interpreter elasticSuspicious .NET Code Compilation elasticSuspicious Cmd Execution via WMI elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticSuspicious WMIC XSL Script Execution elasticVolume Shadow Copy Deletion via PowerShell elasticVolume Shadow Copy Deletion via WMIC elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Interpreter Executing Process via WMI elasticWindows System Information Discovery elasticWMI Incoming Lateral Movement elasticWMI WBEMTEST Utility Execution elasticWMIC Remote Command	19	606
`process_name`	`eq`	`wmic.exe` elasticDelayed Execution via Ping elasticPersistence via WMI Event Subscription elasticSecurity Software Discovery using WMIC elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticSuspicious WMIC XSL Script Execution elasticVolume Shadow Copy Deletion via WMIC elasticWindows System Information Discovery elasticWMIC Remote Command splunkRemote Process Instantiation via WMI splunkRemote WMI Command Attempt splunkWindows WMI Process And Service List splunkWindows WMI Process Call Create splunkWindows WMI Reconnaissance Class Query	14	47
`process_name`	`eq`	`cmd.exe` elasticSuspicious Cmd Execution via WMI elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticWindows System Information Discovery splunkImpacket Lateral Movement Commandline Parameters splunkImpacket Lateral Movement smbexec CommandLine Parameters splunkPossible Lateral Movement PowerShell Spawn	7	77
`process_name`	`eq`	`powershell.exe` elasticDelayed Execution via Ping elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticVolume Shadow Copy Deletion via PowerShell splunkRemote Process Instantiation via WMI and PowerShell	5	104
`process_name`	`eq`	`cscript.exe` elasticDelayed Execution via Ping elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticWindows Script Interpreter Executing Process via WMI	4	25
`process_name`	`eq`	`wscript.exe` elasticDelayed Execution via Ping elasticSuspicious Execution from a Mounted Device elasticSuspicious ScreenConnect Client Child Process elasticWindows Script Interpreter Executing Process via WMI	4	29
`EventID`	`eq`	`4688` splunkImpacket_Empire's WMIExec (Windows Event Log) splunkRemote WMIC Query (Windows Event Log) splunkSystem Enumeration with WMIC (Windows Event Log) splunkWinRM Tools (Windows Event Log) splunkWMI subscription execution (Windows Event Log) splunkWMIC Explicit Credentials (Windows Event Log) splunkWMIC Host Reconniassance (Windows Event Log) splunkWmiPrvSE Suspicious Child Process (Windows Event Log) kustoPowershell Empire Cmdlets Executed in Command Line	9	313
`EventID`	`eq`	`4104` splunkPowerShell Invoke CIMMethod CIMSession splunkPowerShell Invoke WmiExec Usage splunkRemote Process Instantiation via WMI and PowerShell Script Block splunkRemote WMIC Query (PowerShell) splunkWinRM Tools (PowerShell) splunkWMIC Host Reconniassance (PowerShell)	6	268
`EventID`	`eq`	`1` splunkSystem Enumeration with WMIC (Sysmon) splunkWinRM Tools (Sysmon) splunkWMIC Explicit Credentials (Sysmon) splunkWMIC Host Reconniassance (Sysmon) splunkWmiPrvSE Suspicious Child Process (Sysmon)	5	237
`CommandLine`	`contains`	`call` sigmaApplication Removed Via Wmic.EXE sigmaApplication Terminated Via Wmic.EXE sigmaNew Process Created Via Wmic.EXE sigmaProcess Reconnaissance Via Wmic.EXE sigmaRegistry Manipulation via WMI Stdregprov sigmaSuspicious WMIC Execution Via Office Process splunkRemote Process Instantiation via WMI	7	8
`CommandLine`	`contains`	`create` sigmaNew Process Created Via Wmic.EXE sigmaProcess Reconnaissance Via Wmic.EXE sigmaService Reconnaissance Via Wmic.EXE sigmaSuspicious WMIC Execution Via Office Process splunkRemote Process Instantiation via WMI	5	24
`CommandLine`	`contains`	`process` sigmaNew Process Created Via Wmic.EXE sigmaProcess Reconnaissance Via Wmic.EXE sigmaSuspicious WMIC Execution Via Office Process splunkRemote Process Instantiation via WMI	4	5
`CommandLine`	`contains`	`cscript` sigmaSuspicious Process Created Via Wmic.EXE sigmaSuspicious WMIC Execution Via Office Process sigmaSuspicious WmiPrvSE Child Process	3	15
`CommandLine`	`contains`	`mshta` sigmaSuspicious Process Created Via Wmic.EXE sigmaSuspicious WMIC Execution Via Office Process sigmaSuspicious WmiPrvSE Child Process	3	14
`ParentImage`	`ends_with`	`\wmiprvse.exe` sigmaHackTool - Potential Impacket Lateral Movement Activity sigmaPotential WMI Lateral Movement WmiPrvSE Spawned PowerShell sigmaSuspicious Autorun Registry Modified via WMI sigmaWMI spwaning PowerShell process - WMImplant sigmaWmiPrvSE Spawned A Process	5	8
`event.category`	`eq`	`process` elasticDeprecated - PowerShell Script with Remote Execution Capabilities via WinRM elasticSuspicious WMI Image Load from MS Office elasticSuspicious WMIC XSL Script Execution elasticWeb Shell Detection: Script Process Child of Common Web Processes elasticWindows Script Interpreter Executing Process via WMI	5	128
`parent_process_name`	`eq`	`wmiprvse.exe` elasticEnumeration Command Spawned via WMIPrvSE elasticMicrosoft Build Engine Started by a System Process elasticWindows Script Interpreter Executing Process via WMI splunkImpacket Lateral Movement WMIExec Commandline Parameters splunkWmiprvse LOLBAS Execution Process Spawn	5	11

Exclusions (154 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`user.id`	`eq`	`S-1-5-18` elasticDelayed Execution via Ping elasticDeprecated - PowerShell Script with Remote Execution Capabilities via WinRM elasticMofcomp Activity elasticService Control Spawned via Script Interpreter elasticWindows System Information Discovery elasticWMI Incoming Lateral Movement	6
`Image`	`ends_with`	`\wmiprvse.exe` sigmaSuspicious WmiPrvSE Child Process sigmaWMI module loaded by suspicious process sigmaWmiPrvSE Spawned A Process	3
`Image`	`ends_with`	`\werfault.exe` sigmaSuspicious WmiPrvSE Child Process sigmaWmiPrvSE Spawned A Process	2
`CommandLine`	`contains`	`create` sigmaProcess Reconnaissance Via Wmic.EXE sigmaService Reconnaissance Via Wmic.EXE	2
`CommandLine`	`contains`	`install` sigmaPotential Product Reconnaissance Via Wmic.EXE	1
`CommandLine`	`contains`	`uninstall` sigmaPotential Product Reconnaissance Via Wmic.EXE	1
`CommandLine`	`contains`	`.\\install\\awk.exe` elasticWeb Shell Detection: Script Process Child of Common Web Processes	1
`CommandLine`	`contains`	`/i` sigmaSuspicious WmiPrvSE Child Process	1
`CommandLine`	`contains`	`127.0.0.1` sigmaWMIC Remote Command Execution	1
`CommandLine`	`contains`	`://` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`\\\\` sigmaXSL Script Execution Via WMIC.EXE	1
`CommandLine`	`contains`	`\\dismhost.exe` splunkProcess Execution via WMI	1
`CommandLine`	`contains`	`c:\\windows\\ccm\\` splunkPossible Lateral Movement PowerShell Spawn	1
`process_name`	`match`	`(?i)(werfault\|wmiprvse)\.exe` splunkWmiPrvSE Suspicious Child Process (Sysmon) splunkWmiPrvSE Suspicious Child Process (Windows Event Log)	2
`user`	`contains`	`authori\|autori` splunkWmiPrvSE Suspicious Child Process (Sysmon) splunkWmiPrvSE Suspicious Child Process (Windows Event Log)	2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Windows Management Instrumentation `T1047`

Events covered

Authoring guide

Fields filtered most (47 distinct)

Top indicator values (760 distinct)

Exclusions (154 distinct)

Rules under this technique

Sigma 54 rules

Elastic 24 rules

Splunk 37 rules

Kusto 1 rule

YARA-L 1 rule

Keyboard shortcuts

Search operators

Windows Management Instrumentation T1047

Events covered

Authoring guide

Fields filtered most (47 distinct)

Top indicator values (760 distinct)

Exclusions (154 distinct)

Rules under this technique

Sigma 54 rules

Elastic 24 rules

Splunk 37 rules

Kusto 1 rule

YARA-L 1 rule

Windows Management Instrumentation `T1047`