Enumeration Command Spawned via WMIPrvSE

Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2023/06/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
 13Provider Service (WMIPrvSE).
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Enumeration Command Spawned via WMIPrvSE"
 20note = """## Setup
 21
 22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 23"""
 24risk_score = 21
 25rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 26severity = "low"
 27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 28timestamp_override = "event.ingested"
 29type = "eql"
 30
 31query = '''
 32process where host.os.type == "windows" and event.type == "start" and
 33  process.name:
 34  (
 35    "arp.exe",
 36    "dsquery.exe",
 37    "dsget.exe",
 38    "gpresult.exe",
 39    "hostname.exe",
 40    "ipconfig.exe",
 41    "nbtstat.exe",
 42    "net.exe",
 43    "net1.exe",
 44    "netsh.exe",
 45    "netstat.exe",
 46    "nltest.exe",
 47    "ping.exe",
 48    "qprocess.exe",
 49    "quser.exe",
 50    "qwinsta.exe",
 51    "reg.exe",
 52    "sc.exe",
 53    "systeminfo.exe",
 54    "tasklist.exe",
 55    "tracert.exe",
 56    "whoami.exe"
 57  ) and
 58  process.parent.name:"wmiprvse.exe"
 59'''
 60
 61
 62[[rule.threat]]
 63framework = "MITRE ATT&CK"
 64[[rule.threat.technique]]
 65id = "T1047"
 66name = "Windows Management Instrumentation"
 67reference = "https://attack.mitre.org/techniques/T1047/"
 68
 69
 70[rule.threat.tactic]
 71id = "TA0002"
 72name = "Execution"
 73reference = "https://attack.mitre.org/tactics/TA0002/"
 74[[rule.threat]]
 75framework = "MITRE ATT&CK"
 76[[rule.threat.technique]]
 77id = "T1018"
 78name = "Remote System Discovery"
 79reference = "https://attack.mitre.org/techniques/T1018/"
 80
 81[[rule.threat.technique]]
 82id = "T1087"
 83name = "Account Discovery"
 84reference = "https://attack.mitre.org/techniques/T1087/"
 85
 86[[rule.threat.technique]]
 87id = "T1518"
 88name = "Software Discovery"
 89reference = "https://attack.mitre.org/techniques/T1518/"
 90
 91[[rule.threat.technique]]
 92id = "T1016"
 93name = "System Network Configuration Discovery"
 94reference = "https://attack.mitre.org/techniques/T1016/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1016.001"
 97name = "Internet Connection Discovery"
 98reference = "https://attack.mitre.org/techniques/T1016/001/"
 99
100[[rule.threat.technique]]
101id = "T1057"
102name = "Process Discovery"
103reference = "https://attack.mitre.org/techniques/T1057/"
104
105[rule.threat.tactic]
106id = "TA0007"
107name = "Discovery"
108reference = "https://attack.mitre.org/tactics/TA0007/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

Related rules

to-top