IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Windows Script Executing PowerShell Windows Suspicious Script Object Execution »

› › ›

Windows Script Interpreter Executing Process via WMI

edit

Windows Script Interpreter Executing Process via WMI

edit

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Execution

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

sequence by host.id with maxspan=5s [library where file.name :
"wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and
process.parent.name : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and (process.pe.original_file_name in
( "cscript.exe",
"wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE",
"RUNDLL32.EXE", "REGSVR32.EXE",
"MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe",
"msxsl.exe", "CONTROL.EXE",
"EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe",
"msiexec.exe" ) or
process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
) ]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/

« Windows Script Executing PowerShell Windows Suspicious Script Object Execution »