Windows Script Interpreter Executing Process via WMI
Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/27"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process
13via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-endpoint.events.library-*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22]
23language = "eql"
24license = "Elastic License v2"
25name = "Windows Script Interpreter Executing Process via WMI"
26risk_score = 47
27rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
28severity = "medium"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Initial Access",
34 "Tactic: Execution",
35 "Data Source: Elastic Endgame",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38 "Resources: Investigation Guide",
39]
40type = "eql"
41
42query = '''
43sequence by host.id with maxspan = 5s
44 [any where host.os.type == "windows" and
45 (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
46 (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
47 [process where host.os.type == "windows" and event.type == "start" and
48 process.parent.name : "wmiprvse.exe" and
49 user.domain != "NT AUTHORITY" and
50 (process.pe.original_file_name :
51 (
52 "cscript.exe",
53 "wscript.exe",
54 "PowerShell.EXE",
55 "Cmd.Exe",
56 "MSHTA.EXE",
57 "RUNDLL32.EXE",
58 "REGSVR32.EXE",
59 "MSBuild.exe",
60 "InstallUtil.exe",
61 "RegAsm.exe",
62 "RegSvcs.exe",
63 "msxsl.exe",
64 "CONTROL.EXE",
65 "EXPLORER.EXE",
66 "Microsoft.Workflow.Compiler.exe",
67 "msiexec.exe"
68 ) or
69 process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
70 )
71 ]
72'''
73note = """## Triage and analysis
74
75> **Disclaimer**:
76> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
77
78### Investigating Windows Script Interpreter Executing Process via WMI
79
80Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent.
81
82### Possible investigation steps
83
84- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators.
85- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity.
86- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution.
87- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user.
88- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat.
89
90### False positive analysis
91
92- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts.
93- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment.
94- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule.
95- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions.
96- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations.
97
98### Response and remediation
99
100- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement.
101- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts.
102- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms.
103- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign.
105- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches.
106- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts."""
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1566"
113name = "Phishing"
114reference = "https://attack.mitre.org/techniques/T1566/"
115[[rule.threat.technique.subtechnique]]
116id = "T1566.001"
117name = "Spearphishing Attachment"
118reference = "https://attack.mitre.org/techniques/T1566/001/"
119
120
121
122[rule.threat.tactic]
123id = "TA0001"
124name = "Initial Access"
125reference = "https://attack.mitre.org/tactics/TA0001/"
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1047"
130name = "Windows Management Instrumentation"
131reference = "https://attack.mitre.org/techniques/T1047/"
132
133[[rule.threat.technique]]
134id = "T1059"
135name = "Command and Scripting Interpreter"
136reference = "https://attack.mitre.org/techniques/T1059/"
137[[rule.threat.technique.subtechnique]]
138id = "T1059.005"
139name = "Visual Basic"
140reference = "https://attack.mitre.org/techniques/T1059/005/"
141
142
143
144[rule.threat.tactic]
145id = "TA0002"
146name = "Execution"
147reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Windows Script Interpreter Executing Process via WMI
Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent.
Possible investigation steps
- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators.
- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity.
- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution.
- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user.
- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat.
False positive analysis
- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts.
- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment.
- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule.
- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions.
- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations.
Response and remediation
- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement.
- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts.
- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms.
- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign.
- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches.
- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.
Related rules
- Command Execution via SolarWinds Process
- Microsoft Exchange Worker Spawning Suspicious Processes
- Potential Foxmail Exploitation
- ScreenConnect Server Spawning Suspicious Processes
- Suspicious Explorer Child Process