Techniques
Sample rules
Process Execution via WMI
- source: splunk
- technicques:
- T1047
Description
The following analytic identifies WmiPrvSE.exe
spawning a process. This typically occurs when a process is instantiated from a local or remote process using wmic.exe
. During triage, review parallel processes for suspicious behavior or commands executed. Review the process and command-line spawning from wmiprvse.exe
. Contain and remediate the endpoint as necessary.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=WmiPrvSE.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `process_execution_via_wmi_filter`