Enumeration Command Spawned via WMIPrvSE

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
 11Provider Service (WMIPrvSE).
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Enumeration Command Spawned via WMIPrvSE"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Enumeration Command Spawned via WMIPrvSE
 34
 35Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. Adversaries exploit WMI to execute enumeration commands stealthily, leveraging the WMI Provider Service (WMIPrvSE) to gather system and network information. The detection rule identifies suspicious command executions initiated by WMIPrvSE, focusing on common enumeration tools while excluding benign use cases, thus highlighting potential malicious activity.
 36
 37### Possible investigation steps
 38
 39- Review the process command line details to understand the specific enumeration command executed and its arguments, focusing on the process.command_line field.
 40- Investigate the parent process to confirm it is indeed WMIPrvSE by examining the process.parent.name field, ensuring the execution context aligns with potential misuse of WMI.
 41- Check the user context under which the process was executed to determine if it aligns with expected administrative activity or if it suggests unauthorized access.
 42- Correlate the event with other logs or alerts from the same host to identify any preceding or subsequent suspicious activities, such as lateral movement or privilege escalation attempts.
 43- Assess the network activity from the host around the time of the alert to identify any unusual outbound connections or data exfiltration attempts.
 44- Verify if the process execution is part of a known and legitimate administrative task or script by consulting with system administrators or reviewing change management records.
 45
 46### False positive analysis
 47
 48- Routine administrative tasks using WMI may trigger the rule, such as network configuration checks or system diagnostics. To manage this, identify and exclude specific command patterns or arguments that are part of regular maintenance.
 49- Security tools like Tenable may use WMI for legitimate scans, which can be mistaken for malicious activity. Exclude processes with arguments related to known security tools, such as "tenable_mw_scan".
 50- Automated scripts or scheduled tasks that perform system enumeration for inventory or monitoring purposes can cause false positives. Review and whitelist these scripts by excluding their specific command lines or parent processes.
 51- Certain enterprise applications may use WMI for legitimate operations, such as querying system information. Identify these applications and create exceptions based on their process names or command line arguments.
 52- Regular use of network utilities by IT staff for troubleshooting can be flagged. Implement exclusions for known IT user accounts or specific command line patterns used during these activities.
 53
 54### Response and remediation
 55
 56- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 57- Terminate any suspicious processes identified as being spawned by WMIPrvSE, especially those matching the enumeration tools listed in the detection query.
 58- Conduct a thorough review of recent WMI activity on the affected system to identify any additional unauthorized or suspicious commands executed.
 59- Reset credentials for any accounts that may have been compromised or used in the suspicious activity to prevent further unauthorized access.
 60- Restore the system from a known good backup if any malicious activity is confirmed and cannot be remediated through other means.
 61- Implement additional monitoring on the affected system and network to detect any recurrence of similar suspicious activities.
 62- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems."""
 63risk_score = 21
 64rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 65severity = "low"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Execution",
 71    "Data Source: Elastic Endgame",
 72    "Data Source: Elastic Defend",
 73    "Data Source: Windows Security Event Logs",
 74    "Data Source: Microsoft Defender for Endpoint",
 75    "Data Source: Sysmon",
 76    "Data Source: SentinelOne",
 77    "Data Source: Crowdstrike",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
 85  process.name:
 86  (
 87    "arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe",
 88    "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", "quser.exe",
 89    "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe"
 90  ) and
 91  process.parent.name:"wmiprvse.exe" and
 92  not (
 93    process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
 94    process.args : ("demand", "disabled")
 95  ) and
 96  not process.args : "tenable_mw_scan"
 97'''
 98
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1047"
104name = "Windows Management Instrumentation"
105reference = "https://attack.mitre.org/techniques/T1047/"
106
107
108[rule.threat.tactic]
109id = "TA0002"
110name = "Execution"
111reference = "https://attack.mitre.org/tactics/TA0002/"
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1016"
116name = "System Network Configuration Discovery"
117reference = "https://attack.mitre.org/techniques/T1016/"
118[[rule.threat.technique.subtechnique]]
119id = "T1016.001"
120name = "Internet Connection Discovery"
121reference = "https://attack.mitre.org/techniques/T1016/001/"
122
123
124[[rule.threat.technique]]
125id = "T1018"
126name = "Remote System Discovery"
127reference = "https://attack.mitre.org/techniques/T1018/"
128
129[[rule.threat.technique]]
130id = "T1057"
131name = "Process Discovery"
132reference = "https://attack.mitre.org/techniques/T1057/"
133
134[[rule.threat.technique]]
135id = "T1087"
136name = "Account Discovery"
137reference = "https://attack.mitre.org/techniques/T1087/"
138
139[[rule.threat.technique]]
140id = "T1518"
141name = "Software Discovery"
142reference = "https://attack.mitre.org/techniques/T1518/"
143
144
145[rule.threat.tactic]
146id = "TA0007"
147name = "Discovery"
148reference = "https://attack.mitre.org/tactics/TA0007/"