WMI Incoming Lateral Movement
Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/15"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of
13adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "logs-endpoint.events.network-*",
19 "winlogbeat-*",
20 "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "WMI Incoming Lateral Movement"
25risk_score = 47
26rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Lateral Movement",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35]
36type = "eql"
37
38query = '''
39sequence by host.id with maxspan = 2s
40
41 /* Accepted Incoming RPC connection by Winmgmt service */
42
43 [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
44 source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
45 ]
46
47 /* Excluding Common FPs Nessus and SCCM */
48
49 [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
50 not (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and
51 not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
52 not process.executable :
53 ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe",
54 "?:\\Windows\\CCM\\Ccm32BitLauncher.exe",
55 "?:\\Windows\\System32\\wbem\\mofcomp.exe",
56 "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe",
57 "?:\\Windows\\System32\\powercfg.exe") and
58 not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and
59 not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall")
60 ]
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1021"
68name = "Remote Services"
69reference = "https://attack.mitre.org/techniques/T1021/"
70
71
72[rule.threat.tactic]
73id = "TA0008"
74name = "Lateral Movement"
75reference = "https://attack.mitre.org/tactics/TA0008/"
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1047"
80name = "Windows Management Instrumentation"
81reference = "https://attack.mitre.org/techniques/T1047/"
82
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Incoming DCOM Lateral Movement via MSHTA
- Incoming DCOM Lateral Movement with MMC
- Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
- Incoming Execution via PowerShell Remoting
- Incoming Execution via WinRM Remote Shell