Suspicious WMI Image Load from MS Office
Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/17"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate
11adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can
12be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.
13"""
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious WMI Image Load from MS Office"
19references = [
20 "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16",
21]
22risk_score = 21
23rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "low"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Execution",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: Sysmon",
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46any where host.os.type == "windows" and
47 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
48 process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
49 (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1047"
57name = "Windows Management Instrumentation"
58reference = "https://attack.mitre.org/techniques/T1047/"
59
60
61[rule.threat.tactic]
62id = "TA0002"
63name = "Execution"
64reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution of File Written or Modified by PDF Reader
- Execution via local SxS Shared Module
- Microsoft Build Engine Using an Alternate Name