Suspicious WMI Image Load from MS Office
Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate
13adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can
14be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious WMI Image Load from MS Office"
21references = [
22 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
23]
24risk_score = 21
25rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "low"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Resources: Investigation Guide",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49any where host.os.type == "windows" and
50 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
51 process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
52 (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll")
53'''
54note = """## Triage and analysis
55
56> **Disclaimer**:
57> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
58
59### Investigating Suspicious WMI Image Load from MS Office
60
61Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. Adversaries exploit WMI to execute code stealthily, bypassing traditional security measures by spawning processes indirectly. The detection rule identifies unusual loading of the `wmiutils.dll` library by Microsoft Office applications, signaling potential misuse of WMI for malicious execution. This rule leverages event categories and process names to pinpoint suspicious activity, aiding in early threat detection.
62
63### Possible investigation steps
64
65- Review the alert details to confirm the specific Microsoft Office process involved (e.g., WINWORD.EXE, EXCEL.EXE) and the associated event category (library, driver, or process).
66- Check the process execution history to determine if the process has a legitimate reason to load the wmiutils.dll library, such as recent updates or legitimate automation tasks.
67- Investigate the parent process of the flagged Microsoft Office application to identify any unusual or unexpected parent-child process relationships that could indicate malicious activity.
68- Analyze recent user activity on the affected system to identify any suspicious behavior or unauthorized access that might correlate with the alert.
69- Examine network connections and data transfers initiated by the flagged process to detect any potential data exfiltration or communication with known malicious IP addresses.
70- Cross-reference the alert with other security logs and alerts to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.
71
72### False positive analysis
73
74- Legitimate use of WMI by Microsoft Office applications for automation tasks or system management can trigger the rule. Users should verify if the activity aligns with expected administrative tasks.
75- Some third-party plugins or add-ins for Microsoft Office may load wmiutils.dll for legitimate purposes. Users can create exceptions for these known plugins after confirming their benign nature.
76- Scheduled tasks or scripts that utilize WMI for legitimate business processes might cause false positives. Review and document these processes, then exclude them from the rule if they are verified as non-threatening.
77- Security or monitoring tools that interact with Office applications and use WMI for data collection could be flagged. Ensure these tools are recognized and excluded from the rule after validation.
78
79### Response and remediation
80
81- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
82- Terminate any suspicious Microsoft Office processes identified in the alert that are loading the `wmiutils.dll` library.
83- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious code or files.
84- Review and analyze the system's WMI repository and scripts for unauthorized or suspicious entries, and remove any that are identified as malicious.
85- Restore the system from a known good backup if malicious activity has compromised system integrity or data.
86- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
87- Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future."""
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1047"
94name = "Windows Management Instrumentation"
95reference = "https://attack.mitre.org/techniques/T1047/"
96
97
98[rule.threat.tactic]
99id = "TA0002"
100name = "Execution"
101reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Suspicious WMI Image Load from MS Office
Windows Management Instrumentation (WMI) is a powerful framework for managing data and operations on Windows systems. Adversaries exploit WMI to execute code stealthily, bypassing traditional security measures by spawning processes indirectly. The detection rule identifies unusual loading of the wmiutils.dll
library by Microsoft Office applications, signaling potential misuse of WMI for malicious execution. This rule leverages event categories and process names to pinpoint suspicious activity, aiding in early threat detection.
Possible investigation steps
- Review the alert details to confirm the specific Microsoft Office process involved (e.g., WINWORD.EXE, EXCEL.EXE) and the associated event category (library, driver, or process).
- Check the process execution history to determine if the process has a legitimate reason to load the wmiutils.dll library, such as recent updates or legitimate automation tasks.
- Investigate the parent process of the flagged Microsoft Office application to identify any unusual or unexpected parent-child process relationships that could indicate malicious activity.
- Analyze recent user activity on the affected system to identify any suspicious behavior or unauthorized access that might correlate with the alert.
- Examine network connections and data transfers initiated by the flagged process to detect any potential data exfiltration or communication with known malicious IP addresses.
- Cross-reference the alert with other security logs and alerts to identify any patterns or additional indicators of compromise that might suggest a broader attack campaign.
False positive analysis
- Legitimate use of WMI by Microsoft Office applications for automation tasks or system management can trigger the rule. Users should verify if the activity aligns with expected administrative tasks.
- Some third-party plugins or add-ins for Microsoft Office may load wmiutils.dll for legitimate purposes. Users can create exceptions for these known plugins after confirming their benign nature.
- Scheduled tasks or scripts that utilize WMI for legitimate business processes might cause false positives. Review and document these processes, then exclude them from the rule if they are verified as non-threatening.
- Security or monitoring tools that interact with Office applications and use WMI for data collection could be flagged. Ensure these tools are recognized and excluded from the rule after validation.
Response and remediation
- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Terminate any suspicious Microsoft Office processes identified in the alert that are loading the
wmiutils.dll
library. - Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious code or files.
- Review and analyze the system's WMI repository and scripts for unauthorized or suspicious entries, and remove any that are identified as malicious.
- Restore the system from a known good backup if malicious activity has compromised system integrity or data.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for WMI activity and Microsoft Office processes to detect similar threats in the future.
References
Related rules
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32
- Control Panel Process with Unusual Arguments
- Enumeration Command Spawned via WMIPrvSE
- Execution of COM object via Xwizard