IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Suspicious Child Process of Adobe Acrobat Reader Update Service Suspicious Content Extracted or Decompressed via Funzip »

› › ›

Suspicious Cmd Execution via WMI

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious Cmd Execution via WMI

edit

Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*
endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame

Version: 105

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and
 process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and
 process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Windows Management Instrumentation
- ID: T1047
- Reference URL: https://attack.mitre.org/techniques/T1047/

« Suspicious Child Process of Adobe Acrobat Reader Update Service Suspicious Content Extracted or Decompressed via Funzip »