IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
WMI Incoming Lateral Movement
editWMI Incoming Lateral Movement
editIdentifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 1
Added (Elastic Stack release): 7.11.0
Rule authors: Elastic
Rule license: Elastic License
Rule query
editsequence by host.id with maxspan = 2s /* Accepted Incoming RPC
connection by Winmgmt service */ [network where process.name :
"svchost.exe" and network.direction == "incoming" and
source.address != "127.0.0.1" and source.address != "::1" and
source.port >= 49152 and destination.port >= 49152 ] /* Excluding
Common FPs Nessus and SCCM */ [process where event.type in
("start", "process_started") and process.parent.name : "WmiPrvSE.exe"
and not process.args : ("C:\\windows\\temp\\nessus_*.txt",
"C:\\windows\\TEMP\\nessus_*.TMP",
"C:\\Windows\\CCM\\SystemTemp\\*",
"C:\\Windows\\CCMCache\\*",
"C:\\CCM\\Cache\\*") ]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Windows Management Instrumentation
- ID: T1047
- Reference URL: https://attack.mitre.org/techniques/T1047/