Enumeration Command Spawned via WMIPrvSE

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2024/03/28"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation
 13Provider Service (WMIPrvSE).
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Enumeration Command Spawned via WMIPrvSE"
 20risk_score = 21
 21rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470"
 22setup = """## Setup
 23
 24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 27`event.ingested` to @timestamp.
 28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 29"""
 30severity = "low"
 31tags = ["Domain: Endpoint",
 32        "OS: Windows",
 33        "Use Case: Threat Detection",
 34        "Tactic: Execution",
 35        "Data Source: Elastic Endgame",
 36        "Data Source: Elastic Defend"
 37        ]
 38timestamp_override = "event.ingested"
 39type = "eql"
 40
 41query = '''
 42process where host.os.type == "windows" and event.type == "start" and process.command_line != null and 
 43  process.name:
 44  (
 45    "arp.exe",
 46    "dsquery.exe",
 47    "dsget.exe",
 48    "gpresult.exe",
 49    "hostname.exe",
 50    "ipconfig.exe",
 51    "nbtstat.exe",
 52    "net.exe",
 53    "net1.exe",
 54    "netsh.exe",
 55    "netstat.exe",
 56    "nltest.exe",
 57    "ping.exe",
 58    "qprocess.exe",
 59    "quser.exe",
 60    "qwinsta.exe",
 61    "reg.exe",
 62    "sc.exe",
 63    "systeminfo.exe",
 64    "tasklist.exe",
 65    "tracert.exe",
 66    "whoami.exe"
 67  ) and
 68  process.parent.name:"wmiprvse.exe" and 
 69  not (
 70    process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and 
 71    process.args : ("demand", "disabled")
 72  ) and
 73  not process.args : "tenable_mw_scan"
 74'''
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78
 79[[rule.threat.technique]]
 80id = "T1047"
 81name = "Windows Management Instrumentation"
 82reference = "https://attack.mitre.org/techniques/T1047/"
 83
 84[rule.threat.tactic]
 85id = "TA0002"
 86name = "Execution"
 87reference = "https://attack.mitre.org/tactics/TA0002/"
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91
 92[[rule.threat.technique]]
 93id = "T1018"
 94name = "Remote System Discovery"
 95reference = "https://attack.mitre.org/techniques/T1018/"
 96
 97[[rule.threat.technique]]
 98id = "T1087"
 99name = "Account Discovery"
100reference = "https://attack.mitre.org/techniques/T1087/"
101
102[[rule.threat.technique]]
103id = "T1518"
104name = "Software Discovery"
105reference = "https://attack.mitre.org/techniques/T1518/"
106
107[[rule.threat.technique]]
108id = "T1016"
109name = "System Network Configuration Discovery"
110reference = "https://attack.mitre.org/techniques/T1016/"
111
112[[rule.threat.technique.subtechnique]]
113id = "T1016.001"
114name = "Internet Connection Discovery"
115reference = "https://attack.mitre.org/techniques/T1016/001/"
116
117[[rule.threat.technique]]
118id = "T1057"
119name = "Process Discovery"
120reference = "https://attack.mitre.org/techniques/T1057/"
121
122[rule.threat.tactic]
123id = "TA0007"
124name = "Discovery"
125reference = "https://attack.mitre.org/tactics/TA0007/"