IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Endpoint Security Enumeration of Administrator Accounts »

› › ›

Enumeration Command Spawned via WMIPrvSE

edit

Enumeration Command Spawned via WMIPrvSE

edit

Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Execution

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

process where event.type in ("start", "process_started") and
process.name: ( "arp.exe", "dsquery.exe", "dsget.exe",
"gpresult.exe", "hostname.exe", "ipconfig.exe",
"nbtstat.exe", "net.exe", "net1.exe", "netsh.exe",
"netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe",
"quser.exe", "qwinsta.exe", "reg.exe", "sc.exe",
"systeminfo.exe", "tasklist.exe", "tracert.exe",
"whoami.exe" ) and process.parent.name:"wmiprvse.exe"

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Windows Management Instrumentation
- ID: T1047
- Reference URL: https://attack.mitre.org/techniques/T1047/

« Endpoint Security Enumeration of Administrator Accounts »