Windows Script Interpreter Executing Process via WMI

  1[metadata]
  2creation_date = "2020/11/27"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process
 11via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-endpoint.events.library-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Windows Script Interpreter Executing Process via WMI"
 24note = """## Triage and analysis
 25
 26> **Disclaimer**:
 27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 28
 29### Investigating Windows Script Interpreter Executing Process via WMI
 30
 31Windows Management Instrumentation (WMI) is a powerful Windows feature that allows for system management and automation. Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters like cscript.exe or wscript.exe. The detection rule identifies suspicious activity by monitoring for these interpreters executing processes via WMI, especially when initiated by non-system accounts, indicating potential malicious intent.
 32
 33### Possible investigation steps
 34
 35- Review the alert details to identify the specific script interpreter (cscript.exe or wscript.exe) and the process it executed. Check the process name and executable path for any anomalies or known malicious indicators.
 36- Examine the user account associated with the process execution. Verify if the user domain is not "NT AUTHORITY" and assess whether the account is expected to perform such actions. Investigate any unusual or unauthorized account activity.
 37- Investigate the parent process wmiprvse.exe to determine how it was initiated. Look for any preceding suspicious activities or processes that might have triggered the WMI execution.
 38- Check the system for any additional indicators of compromise, such as unexpected network connections, changes in system configurations, or other alerts related to the same host or user.
 39- Correlate the event with other security logs and alerts to identify any patterns or related incidents that might indicate a broader attack campaign or persistent threat.
 40
 41### False positive analysis
 42
 43- Legitimate administrative scripts or automation tasks may trigger this rule if they use cscript.exe or wscript.exe via WMI. To handle this, identify and document these scripts, then create exceptions for their specific execution paths or user accounts.
 44- Software installations or updates that utilize script interpreters through WMI can be mistaken for malicious activity. Monitor and whitelist known installation processes or update mechanisms that are frequently used in your environment.
 45- Custom applications or internal tools that rely on WMI for process execution might be flagged. Review these applications and exclude their specific process names or executable paths from the rule.
 46- Scheduled tasks or system maintenance scripts executed by non-system accounts could generate alerts. Verify these tasks and exclude them by specifying the user accounts or domains that are authorized to perform such actions.
 47- Security tools or monitoring solutions that leverage WMI for legitimate purposes may also be detected. Identify these tools and add them to the exception list based on their process names or executable locations.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected host from the network to prevent further malicious activity and lateral movement.
 52- Terminate any suspicious processes identified in the alert, such as cscript.exe or wscript.exe, that are running under non-system accounts.
 53- Conduct a thorough review of the affected host's scheduled tasks, startup items, and services to identify and remove any persistence mechanisms.
 54- Analyze the parent process wmiprvse.exe and its command-line arguments to understand the scope of the attack and identify any additional compromised systems.
 55- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger campaign.
 56- Implement additional monitoring and alerting for similar activities across the network, focusing on WMI-based script execution and non-standard process launches.
 57- Review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts."""
 58risk_score = 47
 59rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
 60severity = "medium"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Initial Access",
 66    "Tactic: Execution",
 67    "Data Source: Elastic Endgame",
 68    "Data Source: Elastic Defend",
 69    "Data Source: Sysmon",
 70    "Resources: Investigation Guide",
 71]
 72type = "eql"
 73
 74query = '''
 75sequence by host.id with maxspan = 5s
 76    [any where host.os.type == "windows" and
 77     (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and
 78     (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
 79    [process where host.os.type == "windows" and event.type == "start" and
 80     process.parent.name : "wmiprvse.exe" and
 81     user.domain != "NT AUTHORITY" and
 82     (process.pe.original_file_name :
 83        (
 84          "cscript.exe",
 85          "wscript.exe",
 86          "PowerShell.EXE",
 87          "Cmd.Exe",
 88          "MSHTA.EXE",
 89          "RUNDLL32.EXE",
 90          "REGSVR32.EXE",
 91          "MSBuild.exe",
 92          "InstallUtil.exe",
 93          "RegAsm.exe",
 94          "RegSvcs.exe",
 95          "msxsl.exe",
 96          "CONTROL.EXE",
 97          "EXPLORER.EXE",
 98          "Microsoft.Workflow.Compiler.exe",
 99          "msiexec.exe"
100        ) or
101      process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
102     )
103    ]
104'''
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1566"
111name = "Phishing"
112reference = "https://attack.mitre.org/techniques/T1566/"
113[[rule.threat.technique.subtechnique]]
114id = "T1566.001"
115name = "Spearphishing Attachment"
116reference = "https://attack.mitre.org/techniques/T1566/001/"
117
118
119
120[rule.threat.tactic]
121id = "TA0001"
122name = "Initial Access"
123reference = "https://attack.mitre.org/tactics/TA0001/"
124[[rule.threat]]
125framework = "MITRE ATT&CK"
126[[rule.threat.technique]]
127id = "T1047"
128name = "Windows Management Instrumentation"
129reference = "https://attack.mitre.org/techniques/T1047/"
130
131[[rule.threat.technique]]
132id = "T1059"
133name = "Command and Scripting Interpreter"
134reference = "https://attack.mitre.org/techniques/T1059/"
135[[rule.threat.technique.subtechnique]]
136id = "T1059.005"
137name = "Visual Basic"
138reference = "https://attack.mitre.org/techniques/T1059/005/"
139
140
141
142[rule.threat.tactic]
143id = "TA0002"
144name = "Execution"
145reference = "https://attack.mitre.org/tactics/TA0002/"