Techniques
Sample rules
Script Execution via WMI
- source: splunk
- technicques:
- T1047
Description
The following analytic detects any potential misuse of Windows Management Instrumentation (WMI) for malicious purposes since adversaries often use WMI to run scripts which allows them to carry out malicious activities without raising suspicion. The detection is made by monitoring the process ‘scrcons.exe’, which is essential to run WMI scripts. The detection is important because it proactively identifies and responds to potential threats that leverage WMI for malicious purposes that can lead to system compromise, data exfiltration, or the establishment of persistence within the environment. False positives might occur since administrators might occasionally use WMI to launch scripts for legitimate purposes. Therefore, you must distinguish between malicious and benign activities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=scrcons.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `script_execution_via_wmi_filter`