Windows Script Interpreter Executing Process via WMI

This detection identifies the use of Windows script interpreters (cscript.exe or wscript.exe) to execute processes via Windows Management Instrumentation (WMI). Adversaries exploit WMI to execute scripts or processes stealthily, often using script interpreters. The rule monitors for these interpreters executing processes via WMI, specifically when initiated by non-system accounts, indicating potential malicious intent. The detection focuses on identifying scenarios where wmiutils.dll is loaded by wscript.exe or cscript.exe, followed by wmiprvse.exe spawning a new process. This is often associated with malicious initial access or execution techniques.

Attack Chain

1. An attacker gains initial access via phishing (T1566) or other means.
2. The attacker leverages a script, such as VBScript or JavaScript (T1059.005, T1059.007), to execute commands using WMI.
3. The script interpreter (cscript.exe or wscript.exe) loads wmiutils.dll to interact with WMI.
4. The WMI Provider Host process (wmiprvse.exe) is invoked as a parent process, triggered by the script execution.
5. wmiprvse.exe executes a secondary process, such as powershell.exe, cmd.exe, or other executables, often from unusual locations like C:\\Users\\ or C:\\ProgramData\\.
6. The executed process performs malicious actions, such as downloading additional payloads or establishing persistence.
7. The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys.
8. The ultimate objective is often lateral movement, data exfiltration, or deploying ransomware.

Impact

Successful exploitation allows attackers to execute arbitrary code, bypass security controls, and establish persistence on the compromised system. The use of WMI enables stealthy execution, making detection challenging. The impact can range from data theft and system compromise to full network takeover. In some cases, threat actors may deploy ransomware, leading to significant financial losses and operational disruption.

Recommendation

• Enable Sysmon Event ID 1 (Process Creation) and Event ID 7 (Image Loaded) logging to provide the necessary data for the provided Sigma rules.
• Deploy the provided Sigma rule “WMI Scripting Process Creation” to detect suspicious process creation events originating from wmiprvse.exe.
• Investigate any alerts generated by the provided Sigma rule “WMI Scripting Process Creation” with a focus on processes spawned by wmiprvse.exe from unusual locations or with suspicious command-line arguments.
• Implement endpoint protection policies to block or alert on the execution of high-risk processes when initiated by non-system accounts as mentioned in the overview.
• Regularly review and update endpoint protection policies to block or alert on the execution of high-risk processes like those listed in the detection query, especially when initiated by non-system accounts.