Enumeration Command Spawned via WMIPrvSE
Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
13Provider Service (WMIPrvSE).
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Enumeration Command Spawned via WMIPrvSE"
30risk_score = 21
31rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
32severity = "low"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Execution",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: System",
41 "Data Source: Microsoft Defender for Endpoint",
42 "Data Source: Sysmon",
43 "Data Source: SentinelOne",
44 "Data Source: Crowdstrike",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
51 process.name:
52 (
53 "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe",
54 "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe",
55 "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe"
56 ) and
57 process.parent.name:"wmiprvse.exe" and
58 not (
59 process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
60 process.args : ("demand", "disabled")
61 ) and
62 not process.args : "tenable_mw_scan"
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1047"
70name = "Windows Management Instrumentation"
71reference = "https://attack.mitre.org/techniques/T1047/"
72
73
74[rule.threat.tactic]
75id = "TA0002"
76name = "Execution"
77reference = "https://attack.mitre.org/tactics/TA0002/"
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1016"
82name = "System Network Configuration Discovery"
83reference = "https://attack.mitre.org/techniques/T1016/"
84[[rule.threat.technique.subtechnique]]
85id = "T1016.001"
86name = "Internet Connection Discovery"
87reference = "https://attack.mitre.org/techniques/T1016/001/"
88
89
90[[rule.threat.technique]]
91id = "T1018"
92name = "Remote System Discovery"
93reference = "https://attack.mitre.org/techniques/T1018/"
94
95[[rule.threat.technique]]
96id = "T1057"
97name = "Process Discovery"
98reference = "https://attack.mitre.org/techniques/T1057/"
99
100[[rule.threat.technique]]
101id = "T1087"
102name = "Account Discovery"
103reference = "https://attack.mitre.org/techniques/T1087/"
104
105[[rule.threat.technique]]
106id = "T1518"
107name = "Software Discovery"
108reference = "https://attack.mitre.org/techniques/T1518/"
109
110
111[rule.threat.tactic]
112id = "TA0007"
113name = "Discovery"
114reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation
- Process Activity via Compiled HTML File
- Suspicious Cmd Execution via WMI
- Suspicious PDF Reader Child Process