Windows Script Interpreter Executing Process via WMI

edit

Windows Script Interpreter Executing Process via WMI

edit

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Initial Access

Version: 4 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan = 5s [any where (event.category
== "library" or (event.category == "process" and event.action : "Image
loaded*")) and (dll.name : "wmiutils.dll" or file.name :
"wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and
process.parent.name : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and (process.pe.original_file_name : (
"cscript.exe", "wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE", "RUNDLL32.EXE",
"REGSVR32.EXE", "MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe", "msxsl.exe",
"CONTROL.EXE", "EXPLORER.EXE",
"Microsoft.Workflow.Compiler.exe", "msiexec.exe" )
or process.executable : ("C:\\Users\\*.exe",
"C:\\ProgramData\\*.exe") ) ]

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 4 (8.4.0 release)
  • Updated query, changed from:

    sequence by host.id with maxspan = 5s [library where dll.name :
    "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
    [process where event.type in ("start", "process_started") and
    process.parent.name : "wmiprvse.exe" and user.domain != "NT
    AUTHORITY" and (process.pe.original_file_name : (
    "cscript.exe", "wscript.exe", "PowerShell.EXE",
    "Cmd.Exe", "MSHTA.EXE", "RUNDLL32.EXE",
    "REGSVR32.EXE", "MSBuild.exe", "InstallUtil.exe",
    "RegAsm.exe", "RegSvcs.exe", "msxsl.exe",
    "CONTROL.EXE", "EXPLORER.EXE",
    "Microsoft.Workflow.Compiler.exe", "msiexec.exe" )
    or process.executable : ("C:\\Users\\*.exe",
    "C:\\ProgramData\\*.exe") ) ]
Version 2 (7.12.0 release)
  • Updated query, changed from:

    sequence by host.id with maxspan=5s [library where file.name :
    "wmiutils.dll" and process.name : ("wscript.exe", "cscript.exe")]
    [process where event.type in ("start", "process_started") and
    process.parent.name : "wmiprvse.exe" and user.domain != "NT
    AUTHORITY" and (process.pe.original_file_name in
    ( "cscript.exe",
    "wscript.exe", "PowerShell.EXE",
    "Cmd.Exe", "MSHTA.EXE",
    "RUNDLL32.EXE", "REGSVR32.EXE",
    "MSBuild.exe", "InstallUtil.exe",
    "RegAsm.exe", "RegSvcs.exe",
    "msxsl.exe", "CONTROL.EXE",
    "EXPLORER.EXE",
    "Microsoft.Workflow.Compiler.exe",
    "msiexec.exe" ) or
    process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
    ) ]