Enumeration Command Spawned via WMIPrvSE
Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
13Provider Service (WMIPrvSE).
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Enumeration Command Spawned via WMIPrvSE"
20risk_score = 21
21rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "low"
31tags = ["Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Execution",
35 "Data Source: Elastic Endgame",
36 "Data Source: Elastic Defend"
37 ]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
43 process.name:
44 (
45 "arp.exe",
46 "dsquery.exe",
47 "dsget.exe",
48 "gpresult.exe",
49 "hostname.exe",
50 "ipconfig.exe",
51 "nbtstat.exe",
52 "net.exe",
53 "net1.exe",
54 "netsh.exe",
55 "netstat.exe",
56 "nltest.exe",
57 "ping.exe",
58 "qprocess.exe",
59 "quser.exe",
60 "qwinsta.exe",
61 "reg.exe",
62 "sc.exe",
63 "systeminfo.exe",
64 "tasklist.exe",
65 "tracert.exe",
66 "whoami.exe"
67 ) and
68 process.parent.name:"wmiprvse.exe" and
69 not (
70 process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
71 process.args : ("demand", "disabled")
72 ) and
73 not process.args : "tenable_mw_scan"
74'''
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1047"
81name = "Windows Management Instrumentation"
82reference = "https://attack.mitre.org/techniques/T1047/"
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91
92[[rule.threat.technique]]
93id = "T1018"
94name = "Remote System Discovery"
95reference = "https://attack.mitre.org/techniques/T1018/"
96
97[[rule.threat.technique]]
98id = "T1087"
99name = "Account Discovery"
100reference = "https://attack.mitre.org/techniques/T1087/"
101
102[[rule.threat.technique]]
103id = "T1518"
104name = "Software Discovery"
105reference = "https://attack.mitre.org/techniques/T1518/"
106
107[[rule.threat.technique]]
108id = "T1016"
109name = "System Network Configuration Discovery"
110reference = "https://attack.mitre.org/techniques/T1016/"
111
112[[rule.threat.technique.subtechnique]]
113id = "T1016.001"
114name = "Internet Connection Discovery"
115reference = "https://attack.mitre.org/techniques/T1016/001/"
116
117[[rule.threat.technique]]
118id = "T1057"
119name = "Process Discovery"
120reference = "https://attack.mitre.org/techniques/T1057/"
121
122[rule.threat.tactic]
123id = "TA0007"
124name = "Discovery"
125reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Clearing Windows Console History
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments