IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Command Shell Activity Started via RunDLL32 Execution from Unusual Directory - Command Line »

› ›

Enumeration Command Spawned via WMIPrvSE

edit

Enumeration Command Spawned via WMIPrvSE

edit

Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.process-*
logs-windows.*
endgame-*
logs-system.security*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend

Version: 111

Rule authors:

Elastic

Rule license: Elastic License v2

Setup

edit

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until version 8.2. Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate event.ingested to @timestamp. For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
  process.name:
  (
    "arp.exe",
    "dsquery.exe",
    "dsget.exe",
    "gpresult.exe",
    "hostname.exe",
    "ipconfig.exe",
    "nbtstat.exe",
    "net.exe",
    "net1.exe",
    "netsh.exe",
    "netstat.exe",
    "nltest.exe",
    "ping.exe",
    "qprocess.exe",
    "quser.exe",
    "qwinsta.exe",
    "reg.exe",
    "sc.exe",
    "systeminfo.exe",
    "tasklist.exe",
    "tracert.exe",
    "whoami.exe"
  ) and
  process.parent.name:"wmiprvse.exe" and
  not (
    process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and
    process.args : ("demand", "disabled")
  ) and
  not process.args : "tenable_mw_scan"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Windows Management Instrumentation
- ID: T1047
- Reference URL: https://attack.mitre.org/techniques/T1047/
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Remote System Discovery
- ID: T1018
- Reference URL: https://attack.mitre.org/techniques/T1018/
Technique:
- Name: Account Discovery
- ID: T1087
- Reference URL: https://attack.mitre.org/techniques/T1087/
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/
Technique:
- Name: System Network Configuration Discovery
- ID: T1016
- Reference URL: https://attack.mitre.org/techniques/T1016/
Sub-technique:
- Name: Internet Connection Discovery
- ID: T1016.001
- Reference URL: https://attack.mitre.org/techniques/T1016/001/
Technique:
- Name: Process Discovery
- ID: T1057
- Reference URL: https://attack.mitre.org/techniques/T1057/

« Command Shell Activity Started via RunDLL32 Execution from Unusual Directory - Command Line »