WMI Remote Execution Flow

Interactive visualization of WMI-based lateral movement. Traces how an attacker uses WMI to execute commands on a remote host, the protocols involved, and the forensic artifacts left behind.

By Mohamed Habib Jaouadi•December 1, 2025•

Post Related

#wmi

#lateral-movement

#living-off-the-land

#windows

#red-team

#forensics

WMI Remote Flow & Behavioral Anomaly

Visualizing Lateral Movement and Process Ancestry Detection

RPC / DCOM Communication Flow

Admin-Station

TCP 135

RPC Endpoint Mapper

TCP 49152+

Dynamic DCOM Port

DC-PROD-01 (10.0.0.100)

Behavioral Anomaly: Process Ancestry (Event ID 1)

Contextual Detection

WMI activity itself is common, but the Parent Process of WmiPrvSE.exe provides critical context. Legitimate management tools use standard system service hosts, while attackers often pivot from user-space applications.

Expected:svchost.exe (RPCSS)

Anomaly:WINWORD.EXE, EXCEL.EXE

svchost.exe (DCOM)RPC/DCOM Service host

WmiPrvSE.exeWMI Provider Host (Worker)

powershell.exeCheck-SystemUpdate.ps1

Normal Operation Baseline

In standard administration, WmiPrvSE.exe is a child of the RPC Service host. Establishing this baseline is the first step in being able to detect malicious WMI lateral movement.