reference WMI statements

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: reference WMI statements
    namespace: collection/database/wmi
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Collection::Data from Information Repositories [T1213]
    examples:
      - al-khaser_x86.exe_:0x433490
  features:
    - or:
      - string: /SELECT\s+\*\s+FROM\s+CIM_.+/
      - string: /SELECT\s+\*\s+FROM\s+Win32_.+/
      - string: /SELECT\s+\*\s+FROM\s+MSAcpi_.+/

last edited: 2026-05-22 14:14:25