Enumeration Command Spawned via WMIPrvSE

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
 13Provider Service (WMIPrvSE).
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-windows.forwarded*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-system.security*",
 23    "logs-m365_defender.event-*",
 24    "logs-sentinel_one_cloud_funnel.*",
 25    "logs-crowdstrike.fdr*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "Enumeration Command Spawned via WMIPrvSE"
 30risk_score = 21
 31rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 32severity = "low"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Execution",
 38    "Data Source: Elastic Endgame",
 39    "Data Source: Elastic Defend",
 40    "Data Source: System",
 41    "Data Source: Microsoft Defender for Endpoint",
 42    "Data Source: Sysmon",
 43    "Data Source: SentinelOne",
 44    "Data Source: Crowdstrike",
 45    "Resources: Investigation Guide",
 46]
 47timestamp_override = "event.ingested"
 48type = "eql"
 49
 50query = '''
 51process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
 52  process.name:
 53  (
 54    "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe",
 55    "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe",
 56    "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe"
 57  ) and
 58  process.parent.name:"wmiprvse.exe" and
 59  not (
 60    process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
 61    process.args : ("demand", "disabled")
 62  ) and
 63  not process.args : "tenable_mw_scan"
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Enumeration Command Spawned via WMIPrvSE
 71
 72Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. Adversaries exploit WMI to execute enumeration commands stealthily, leveraging the WMI Provider Service (WMIPrvSE) to gather system and network information. The detection rule identifies suspicious command executions initiated by WMIPrvSE, focusing on common enumeration tools while excluding benign use cases, thus highlighting potential malicious activity.
 73
 74### Possible investigation steps
 75
 76- Review the process command line details to understand the specific enumeration command executed and its arguments, focusing on the process.command_line field.
 77- Investigate the parent process to confirm it is indeed WMIPrvSE by examining the process.parent.name field, ensuring the execution context aligns with potential misuse of WMI.
 78- Check the user context under which the process was executed to determine if it aligns with expected administrative activity or if it suggests unauthorized access.
 79- Correlate the event with other logs or alerts from the same host to identify any preceding or subsequent suspicious activities, such as lateral movement or privilege escalation attempts.
 80- Assess the network activity from the host around the time of the alert to identify any unusual outbound connections or data exfiltration attempts.
 81- Verify if the process execution is part of a known and legitimate administrative task or script by consulting with system administrators or reviewing change management records.
 82
 83### False positive analysis
 84
 85- Routine administrative tasks using WMI may trigger the rule, such as network configuration checks or system diagnostics. To manage this, identify and exclude specific command patterns or arguments that are part of regular maintenance.
 86- Security tools like Tenable may use WMI for legitimate scans, which can be mistaken for malicious activity. Exclude processes with arguments related to known security tools, such as "tenable_mw_scan".
 87- Automated scripts or scheduled tasks that perform system enumeration for inventory or monitoring purposes can cause false positives. Review and whitelist these scripts by excluding their specific command lines or parent processes.
 88- Certain enterprise applications may use WMI for legitimate operations, such as querying system information. Identify these applications and create exceptions based on their process names or command line arguments.
 89- Regular use of network utilities by IT staff for troubleshooting can be flagged. Implement exclusions for known IT user accounts or specific command line patterns used during these activities.
 90
 91### Response and remediation
 92
 93- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 94- Terminate any suspicious processes identified as being spawned by WMIPrvSE, especially those matching the enumeration tools listed in the detection query.
 95- Conduct a thorough review of recent WMI activity on the affected system to identify any additional unauthorized or suspicious commands executed.
 96- Reset credentials for any accounts that may have been compromised or used in the suspicious activity to prevent further unauthorized access.
 97- Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means.
 98- Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities.
 99- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1047"
106name = "Windows Management Instrumentation"
107reference = "https://attack.mitre.org/techniques/T1047/"
108
109
110[rule.threat.tactic]
111id = "TA0002"
112name = "Execution"
113reference = "https://attack.mitre.org/tactics/TA0002/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1016"
118name = "System Network Configuration Discovery"
119reference = "https://attack.mitre.org/techniques/T1016/"
120[[rule.threat.technique.subtechnique]]
121id = "T1016.001"
122name = "Internet Connection Discovery"
123reference = "https://attack.mitre.org/techniques/T1016/001/"
124
125
126[[rule.threat.technique]]
127id = "T1018"
128name = "Remote System Discovery"
129reference = "https://attack.mitre.org/techniques/T1018/"
130
131[[rule.threat.technique]]
132id = "T1057"
133name = "Process Discovery"
134reference = "https://attack.mitre.org/techniques/T1057/"
135
136[[rule.threat.technique]]
137id = "T1087"
138name = "Account Discovery"
139reference = "https://attack.mitre.org/techniques/T1087/"
140
141[[rule.threat.technique]]
142id = "T1518"
143name = "Software Discovery"
144reference = "https://attack.mitre.org/techniques/T1518/"
145
146
147[rule.threat.tactic]
148id = "TA0007"
149name = "Discovery"
150reference = "https://attack.mitre.org/tactics/TA0007/"