Suspicious WMI Image Load from MS Office
Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate
13adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can
14be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WMI Image Load from MS Office"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = [
26 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
27]
28risk_score = 21
29rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d"
30severity = "low"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36any where host.os.type == "windows" and
37 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
38 process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
39 (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll")
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1047"
47name = "Windows Management Instrumentation"
48reference = "https://attack.mitre.org/techniques/T1047/"
49
50
51[rule.threat.tactic]
52id = "TA0002"
53name = "Execution"
54reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Enumeration Command Spawned via WMIPrvSE
- Execution from Unusual Directory - Command Line