WMI Incoming Lateral Movement

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/15"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/30"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of
13adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "WMI Incoming Lateral Movement"
20risk_score = 47
21rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by host.id with maxspan = 2s
28
29 /* Accepted Incoming RPC connection by Winmgmt service */
30
31  [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and
32   source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152
33  ]
34
35  /* Excluding Common FPs Nessus and SCCM */
36
37  [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and
38   not process.args : ("C:\\windows\\temp\\nessus_*.txt",
39                       "*C:\\windows\\TEMP\\nessus_*.TMP*",
40                       "*C:\\Windows\\CCM\\SystemTemp\\*",
41                       "C:\\Windows\\CCM\\ccmrepair.exe",
42                       "C:\\Windows\\CCMCache\\*",
43                       "C:\\CCM\\Cache\\*")
44   ]
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0008"
53name = "Lateral Movement"
54reference = "https://attack.mitre.org/tactics/TA0008/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1047"
59name = "Windows Management Instrumentation"
60reference = "https://attack.mitre.org/techniques/T1047/"
61
62
63[rule.threat.tactic]
64id = "TA0002"
65name = "Execution"
66reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top