KQL Search

Query Details

HomeAI ToolsDevice Query

TH Wmic PS Encoded

Query

# WMIC spawning PowerShell with encoded command

## Query Information

### MITRE ATT&CK Technique(s)

| Technique ID | Title                                                        | Link                                                        |
|--------------|--------------------------------------------------------------|-------------------------------------------------------------|
| T1047        | Windows Management Instrumentation                           | https://attack.mitre.org/techniques/T1047/                  |
| T1059.001    | Command and Scripting Interpreter: PowerShell                | https://attack.mitre.org/techniques/T1059/001/              |
| T1218        | System Binary Proxy Execution                                | https://attack.mitre.org/techniques/T1218/                  |
| T1027        | Obfuscated Files or Information                              | https://attack.mitre.org/techniques/T1027/                  |

### Description

Use the below query for detecting suspicious usage of WMIC that spawns a PowerShell process with an encoded command

Example

The below exmaple will execute wmic, spawn a powershell process and then run the following ***command Write-Output "WMIC benign test - safe"***

```powershell
wmic  process call create "powershell -NoProfile -EncodedCommand VwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAFcATQBJAEMAIABiAGUAbgBpAGcAbgAgAHQAZQBzAHQAIAAtACAAcwBhAGYAZQAiAA=="
```

#### References

### Author

- **Alex Verboon**

## Defender XDR

```kql
DeviceProcessEvents
| where FileName == @"WMIC.exe"
| where ProcessCommandLine has_any ("EncodedCommand","Enc")
| project Timestamp, DeviceName, InitiatingProcessFileName,ActionType, AccountName, ProcessCommandLine
| extend Encoded = extract(@"-(?:EncodedCommand|enc)\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine)
| where isnotempty(Encoded)
| extend Decoded = base64_decode_tostring(Encoded) 
```

Explanation

This query is designed to detect suspicious activity where the Windows Management Instrumentation Command-line (WMIC) tool is used to start a PowerShell process with an encoded command. This is often a technique used by attackers to obfuscate malicious commands.

Here's a simple breakdown of what the query does:

  1. Data Source: It looks at events related to processes on devices (DeviceProcessEvents).

  2. Filter for WMIC: It specifically filters for events where the process name is WMIC.exe.

  3. Encoded Commands: It further filters these events to find instances where the command line includes "EncodedCommand" or "Enc". These are indicators that a PowerShell command is being run in an encoded form.

  4. Extract and Decode: The query extracts the encoded command from the command line and decodes it from Base64 format to reveal the actual command being executed.

  5. Output: It provides details such as the timestamp, device name, initiating process, action type, account name, and both the original and decoded command lines.

This query helps security analysts identify potentially malicious activities where attackers use WMIC to execute hidden PowerShell commands.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 17, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameProcessCommandLineTimestampDeviceNameInitiatingProcessFileNameActionTypeAccountName

Operators

DeviceProcessEvents|where==@"WMIC.exe"has_any("EncodedCommand","Enc")projectTimestampDeviceNameInitiatingProcessFileNameActionTypeAccountNameProcessCommandLineextendextract@"-(?:EncodedCommand|enc)\s+([A-Za-z0-9+/=]+)"1isnotemptyEncodedbase64_decode_tostring

Actions