Try in Splunk Security Cloud

Description

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-10-23
  • Author: Rico Valdez, Splunk
  • ID: c8ddc5be-69bc-4202-b3ab-4010b27d7ad5

Narrative

WMI is a Microsoft infrastructure for management data and operations on Windows operating systems. It includes of a set of utilities that can be leveraged to manage both local and remote Windows systems. Attackers are increasingly turning to WMI abuse in their efforts to conduct nefarious tasks, such as reconnaissance, detection of antivirus and virtual machines, code execution, lateral movement, persistence, and data exfiltration. The detection searches included in this Analytic Story are used to look for suspicious use of WMI commands that attackers may leverage to interact with remote systems. The searches specifically look for the use of WMI to run processes on remote systems. In the event that unauthorized WMI execution occurs, it will be important for analysts and investigators to determine the context of the event. These details may provide insights related to how WMI was used and to what end.

Detections

Name Technique Type
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Process Execution via WMI Windows Management Instrumentation TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Script Execution via WMI Windows Management Instrumentation TTP
WMI Permanent Event Subscription Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
WMI Temporary Event Subscription Windows Management Instrumentation TTP
WMIC XSL Execution via URL XSL Script Processing TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
XSL Script Execution With WMIC XSL Script Processing TTP

Reference

source | version: 2