WMI Incoming Lateral Movement

  1[metadata]
  2creation_date = "2020/11/15"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of
 11adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "logs-endpoint.events.network-*",
 17    "logs-windows.sysmon_operational-*",
 18]
 19language = "eql"
 20license = "Elastic License v2"
 21name = "WMI Incoming Lateral Movement"
 22note = """## Triage and analysis
 23
 24> **Disclaimer**:
 25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 26
 27### Investigating WMI Incoming Lateral Movement
 28
 29Windows Management Instrumentation (WMI) is a core Windows feature enabling remote management and data collection. Adversaries exploit WMI for lateral movement by executing processes on remote hosts, often bypassing traditional security measures. The detection rule identifies suspicious WMI activity by monitoring specific network connections and process executions, filtering out common false positives to highlight potential threats.
 30
 31### Possible investigation steps
 32
 33- Review the source IP address of the incoming RPC connection to determine if it is from a known or trusted network segment, excluding localhost addresses like 127.0.0.1 and ::1.
 34- Check the process name and parent process name, specifically looking for svchost.exe and WmiPrvSE.exe, to confirm the execution context and identify any unusual parent-child process relationships.
 35- Investigate the user ID associated with the process execution to ensure it is not a system account (S-1-5-18, S-1-5-19, S-1-5-20) and assess if the user has legitimate reasons for remote WMI activity.
 36- Examine the process executable path to verify it is not one of the excluded common false positives, such as those related to HPWBEM, SCCM, or other specified system utilities.
 37- Analyze the network connection details, including source and destination ports, to identify any patterns or anomalies that could indicate malicious lateral movement.
 38- Correlate the alert with other security events or logs from the same host or network segment to gather additional context and identify potential patterns of compromise.
 39
 40### False positive analysis
 41
 42- Administrative use of WMI for remote management can trigger alerts. To manage this, create exceptions for known administrative accounts or specific IP addresses used by IT staff.
 43- Security tools like Nessus and SCCM may cause false positives. Exclude processes associated with these tools by adding their executables to the exception list.
 44- System processes running with high integrity levels might be flagged. Exclude processes with integrity levels marked as "System" to reduce noise.
 45- Specific executables such as msiexec.exe and appcmd.exe with certain arguments can be safely excluded if they are part of routine administrative tasks.
 46- Regularly review and update the exception list to ensure it aligns with current network management practices and tools.
 47
 48### Response and remediation
 49
 50- Isolate the affected host immediately from the network to prevent further lateral movement by the adversary. This can be done by disabling network interfaces or using network segmentation tools.
 51- Terminate any suspicious processes identified as being executed via WMI on the affected host. Use task management tools or scripts to stop these processes.
 52- Conduct a thorough review of the affected host's WMI logs and process execution history to identify any unauthorized changes or additional malicious activity.
 53- Reset credentials for any accounts that were used in the suspicious WMI activity, especially if they have administrative privileges, to prevent further unauthorized access.
 54- Apply patches and updates to the affected host and any other systems that may be vulnerable to similar exploitation methods, ensuring that all security updates are current.
 55- Enhance monitoring and logging for WMI activity across the network to detect and respond to similar threats more quickly in the future. This includes setting up alerts for unusual WMI usage patterns.
 56- If the threat is confirmed to be part of a larger attack, escalate the incident to the appropriate security team or authority for further investigation and potential legal action."""
 57risk_score = 47
 58rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88"
 59severity = "medium"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Lateral Movement",
 65    "Data Source: Elastic Defend",
 66    "Data Source: Sysmon",
 67    "Resources: Investigation Guide",
 68]
 69type = "eql"
 70
 71query = '''
 72sequence by host.id with maxspan = 2s
 73
 74 /* Accepted Incoming RPC connection by Winmgmt service */
 75
 76  [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
 77   source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
 78  ]
 79
 80  /* Excluding Common FPs Nessus and SCCM */
 81
 82  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
 83   not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
 84   not (
 85         user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
 86         /* Don't apply the user.id exclusion to Sysmon for compatibility */
 87         not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
 88   ) and
 89   not process.executable :
 90               ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe",
 91                "?:\\Windows\\CCM\\Ccm32BitLauncher.exe",
 92                "?:\\Windows\\System32\\wbem\\mofcomp.exe",
 93                "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe",
 94                "?:\\Windows\\System32\\powercfg.exe") and
 95   not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and
 96   not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall")
 97   ]
 98'''
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1021"
105name = "Remote Services"
106reference = "https://attack.mitre.org/techniques/T1021/"
107
108
109[rule.threat.tactic]
110id = "TA0008"
111name = "Lateral Movement"
112reference = "https://attack.mitre.org/tactics/TA0008/"
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1047"
117name = "Windows Management Instrumentation"
118reference = "https://attack.mitre.org/techniques/T1047/"
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"