Windows Script Interpreter Executing Process via WMI

edit

Windows Script Interpreter Executing Process via WMI

edit

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit
sequence by host.id with maxspan=5s [library where file.name :
"wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and
process.parent.name : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and (process.pe.original_file_name in
( "cscript.exe",
"wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE",
"RUNDLL32.EXE", "REGSVR32.EXE",
"MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe",
"msxsl.exe", "CONTROL.EXE",
"EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe",
"msiexec.exe" ) or
process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
) ]

Threat mapping

edit

Framework: MITRE ATT&CKTM