WMI Incoming Lateral Movement

  1[metadata]
  2creation_date = "2020/11/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/22"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of
 13adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "WMI Incoming Lateral Movement"
 20risk_score = 47
 21rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Lateral Movement",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Sysmon",
 30    "Resources: Investigation Guide",
 31]
 32type = "eql"
 33
 34query = '''
 35sequence by host.id with maxspan = 2s
 36
 37 /* Accepted Incoming RPC connection by Winmgmt service */
 38
 39  [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
 40   source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
 41  ]
 42
 43  /* Excluding Common FPs Nessus and SCCM */
 44
 45  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
 46   not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
 47   not (
 48         user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
 49         /* Don't apply the user.id exclusion to Sysmon for compatibility */
 50         not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
 51   ) and
 52   not process.executable :
 53               ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe",
 54                "?:\\Windows\\CCM\\Ccm32BitLauncher.exe",
 55                "?:\\Windows\\System32\\wbem\\mofcomp.exe",
 56                "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe",
 57                "?:\\Windows\\System32\\powercfg.exe") and
 58   not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and
 59   not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall")
 60   ]
 61'''
 62note = """## Triage and analysis
 63
 64> **Disclaimer**:
 65> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 66
 67### Investigating WMI Incoming Lateral Movement
 68
 69Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats.
 70
 71### Possible investigation steps
 72
 73- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1.
 74- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships.
 75- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity.
 76- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities.
 77- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement.
 78- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise.
 79
 80### False positive analysis
 81
 82- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff.
 83- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list.
 84- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise.
 85- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks.
 86- Regularly review and update the exception list to ensure it aligns with current network management practices and tools.
 87
 88### Response and remediation
 89
 90- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools.
 91- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes.
 92- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity.
 93- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access.
 94- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current.
 95- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns.
 96- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action."""
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1021"
103name = "Remote Services"
104reference = "https://attack.mitre.org/techniques/T1021/"
105
106
107[rule.threat.tactic]
108id = "TA0008"
109name = "Lateral Movement"
110reference = "https://attack.mitre.org/tactics/TA0008/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1047"
115name = "Windows Management Instrumentation"
116reference = "https://attack.mitre.org/techniques/T1047/"
117
118
119[rule.threat.tactic]
120id = "TA0002"
121name = "Execution"
122reference = "https://attack.mitre.org/tactics/TA0002/"