IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Windows Script Executing PowerShell Windows Service Installed via an Unusual Client »
Elastic Docs Elastic Security Solution [8.2] Detections and alerts Prebuilt rule reference

Windows Script Interpreter Executing Process via WMI

edit

Windows Script Interpreter Executing Process via WMI

edit

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Initial Access

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan = 5s [library where dll.name :
"wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and
process.parent.name : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and (process.pe.original_file_name : (
"cscript.exe", "wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE", "RUNDLL32.EXE",
"REGSVR32.EXE", "MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe", "msxsl.exe",
"CONTROL.EXE", "EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe", "msiexec.exe" )
or process.executable : ("C:\\Users\\*.exe",
"C:\\ProgramData\\*.exe") ) ]

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 2 (7.12.0 release)

  • Updated query, changed from:

    sequence by host.id with maxspan=5s [library where file.name :
"wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and
process.parent.name : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and (process.pe.original_file_name in
( "cscript.exe",
"wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE",
"RUNDLL32.EXE", "REGSVR32.EXE",
"MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe",
"msxsl.exe", "CONTROL.EXE",
"EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe",
"msiexec.exe" ) or
process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
) ]
« Windows Script Executing PowerShell Windows Service Installed via an Unusual Client »