Enumeration Command Spawned via WMIPrvSE
Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
11Provider Service (WMIPrvSE).
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Enumeration Command Spawned via WMIPrvSE"
24risk_score = 21
25rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "low"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
48 process.name:
49 (
50 "arp.exe",
51 "dsquery.exe",
52 "dsget.exe",
53 "gpresult.exe",
54 "hostname.exe",
55 "ipconfig.exe",
56 "nbtstat.exe",
57 "net.exe",
58 "net1.exe",
59 "netsh.exe",
60 "netstat.exe",
61 "nltest.exe",
62 "ping.exe",
63 "qprocess.exe",
64 "quser.exe",
65 "qwinsta.exe",
66 "reg.exe",
67 "sc.exe",
68 "systeminfo.exe",
69 "tasklist.exe",
70 "tracert.exe",
71 "whoami.exe"
72 ) and
73 process.parent.name:"wmiprvse.exe" and
74 not (
75 process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
76 process.args : ("demand", "disabled")
77 ) and
78 not process.args : "tenable_mw_scan"
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1047"
86name = "Windows Management Instrumentation"
87reference = "https://attack.mitre.org/techniques/T1047/"
88
89
90[rule.threat.tactic]
91id = "TA0002"
92name = "Execution"
93reference = "https://attack.mitre.org/tactics/TA0002/"
94[[rule.threat]]
95framework = "MITRE ATT&CK"
96[[rule.threat.technique]]
97id = "T1016"
98name = "System Network Configuration Discovery"
99reference = "https://attack.mitre.org/techniques/T1016/"
100[[rule.threat.technique.subtechnique]]
101id = "T1016.001"
102name = "Internet Connection Discovery"
103reference = "https://attack.mitre.org/techniques/T1016/001/"
104
105
106[[rule.threat.technique]]
107id = "T1018"
108name = "Remote System Discovery"
109reference = "https://attack.mitre.org/techniques/T1018/"
110
111[[rule.threat.technique]]
112id = "T1057"
113name = "Process Discovery"
114reference = "https://attack.mitre.org/techniques/T1057/"
115
116[[rule.threat.technique]]
117id = "T1087"
118name = "Account Discovery"
119reference = "https://attack.mitre.org/techniques/T1087/"
120
121[[rule.threat.technique]]
122id = "T1518"
123name = "Software Discovery"
124reference = "https://attack.mitre.org/techniques/T1518/"
125
126
127[rule.threat.tactic]
128id = "TA0007"
129name = "Discovery"
130reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Clearing Windows Console History
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments