Windows Script Interpreter Executing Process via WMI
editWindows Script Interpreter Executing Process via WMI
editIdentifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Initial Access
Version: 101
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id with maxspan = 5s [any where (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] [process where event.type == "start" and process.parent.name : "wmiprvse.exe" and user.domain != "NT AUTHORITY" and (process.pe.original_file_name : ( "cscript.exe", "wscript.exe", "PowerShell.EXE", "Cmd.Exe", "MSHTA.EXE", "RUNDLL32.EXE", "REGSVR32.EXE", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "EXPLORER.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe" ) or process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") ) ]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Phishing
- ID: T1566
- Reference URL: https://attack.mitre.org/techniques/T1566/
-
Sub-technique:
- Name: Spearphishing Attachment
- ID: T1566.001
- Reference URL: https://attack.mitre.org/techniques/T1566/001/