Windows Script Interpreter Executing Process via WMI

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/11/27"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process
 11via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-endpoint.events.library-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Windows Script Interpreter Executing Process via WMI"
 24risk_score = 47
 25rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
 26severity = "medium"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Initial Access",
 32    "Tactic: Execution",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36]
 37type = "eql"
 38
 39query = '''
 40sequence by host.id with maxspan = 5s
 41    [any where host.os.type == "windows" and 
 42     (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 43     (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
 44    [process where host.os.type == "windows" and event.type == "start" and
 45     process.parent.name : "wmiprvse.exe" and
 46     user.domain != "NT AUTHORITY" and
 47     (process.pe.original_file_name :
 48        (
 49          "cscript.exe",
 50          "wscript.exe",
 51          "PowerShell.EXE",
 52          "Cmd.Exe",
 53          "MSHTA.EXE",
 54          "RUNDLL32.EXE",
 55          "REGSVR32.EXE",
 56          "MSBuild.exe",
 57          "InstallUtil.exe",
 58          "RegAsm.exe",
 59          "RegSvcs.exe",
 60          "msxsl.exe",
 61          "CONTROL.EXE",
 62          "EXPLORER.EXE",
 63          "Microsoft.Workflow.Compiler.exe",
 64          "msiexec.exe"
 65        ) or
 66      process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
 67     )
 68    ]
 69'''
 70
 71
 72[[rule.threat]]
 73framework = "MITRE ATT&CK"
 74[[rule.threat.technique]]
 75id = "T1566"
 76name = "Phishing"
 77reference = "https://attack.mitre.org/techniques/T1566/"
 78[[rule.threat.technique.subtechnique]]
 79id = "T1566.001"
 80name = "Spearphishing Attachment"
 81reference = "https://attack.mitre.org/techniques/T1566/001/"
 82
 83
 84
 85[rule.threat.tactic]
 86id = "TA0001"
 87name = "Initial Access"
 88reference = "https://attack.mitre.org/tactics/TA0001/"
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1047"
 93name = "Windows Management Instrumentation"
 94reference = "https://attack.mitre.org/techniques/T1047/"
 95
 96[[rule.threat.technique]]
 97id = "T1059"
 98name = "Command and Scripting Interpreter"
 99reference = "https://attack.mitre.org/techniques/T1059/"
100[[rule.threat.technique.subtechnique]]
101id = "T1059.005"
102name = "Visual Basic"
103reference = "https://attack.mitre.org/techniques/T1059/005/"
104
105
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top