Windows Script Interpreter Executing Process via WMI
Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/27"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process
11via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-endpoint.events.library-*",
18 "logs-windows.sysmon_operational-*",
19 "endgame-*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Windows Script Interpreter Executing Process via WMI"
24risk_score = 47
25rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Initial Access",
32 "Tactic: Execution",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36]
37type = "eql"
38
39query = '''
40sequence by host.id with maxspan = 5s
41 [any where host.os.type == "windows" and
42 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
43 (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
44 [process where host.os.type == "windows" and event.type == "start" and
45 process.parent.name : "wmiprvse.exe" and
46 user.domain != "NT AUTHORITY" and
47 (process.pe.original_file_name :
48 (
49 "cscript.exe",
50 "wscript.exe",
51 "PowerShell.EXE",
52 "Cmd.Exe",
53 "MSHTA.EXE",
54 "RUNDLL32.EXE",
55 "REGSVR32.EXE",
56 "MSBuild.exe",
57 "InstallUtil.exe",
58 "RegAsm.exe",
59 "RegSvcs.exe",
60 "msxsl.exe",
61 "CONTROL.EXE",
62 "EXPLORER.EXE",
63 "Microsoft.Workflow.Compiler.exe",
64 "msiexec.exe"
65 ) or
66 process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
67 )
68 ]
69'''
70
71
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1566"
76name = "Phishing"
77reference = "https://attack.mitre.org/techniques/T1566/"
78[[rule.threat.technique.subtechnique]]
79id = "T1566.001"
80name = "Spearphishing Attachment"
81reference = "https://attack.mitre.org/techniques/T1566/001/"
82
83
84
85[rule.threat.tactic]
86id = "TA0001"
87name = "Initial Access"
88reference = "https://attack.mitre.org/tactics/TA0001/"
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1047"
93name = "Windows Management Instrumentation"
94reference = "https://attack.mitre.org/techniques/T1047/"
95
96[[rule.threat.technique]]
97id = "T1059"
98name = "Command and Scripting Interpreter"
99reference = "https://attack.mitre.org/techniques/T1059/"
100[[rule.threat.technique.subtechnique]]
101id = "T1059.005"
102name = "Visual Basic"
103reference = "https://attack.mitre.org/techniques/T1059/005/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Microsoft Exchange Worker Spawning Suspicious Processes
- Suspicious Explorer Child Process
- Unusual Execution via Microsoft Common Console File
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process