Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

Commit 41226f6

Browse files
tali-ashtali-ash
authored
Merge pull request #177 from martyav/detect-office-products-launching-w-wmic
added detect-office-products-spawning-wmic.md
2 parents e1df54f + b4f6764 commit 41226f6

File tree

1 file changed

+42
-0
lines changed

1 file changed

+42
-0
lines changed

Execution/detect-office-products-spawning-wmic.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Detect Office products launching wmic.exe
2+
3+
This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*.
4+
5+
[Windows Management Instrumentation](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi), or *WMI*, is a legitimate Microsoft framework used to obtain management data and perform administrative tasks on remote devices. However, attackers can also use WMI to gather information about a target or hijack control of a device. The MITRE ATT&CK framework includes [WMI](https://attack.mitre.org/techniques/T1047/) among its list of common enterprise attack techniques.
6+
7+
The following query detects when Microsoft Office software spawns an instance of the WMI command-line utility, *[wmic.exe](https://docs.microsoft.com/windows/win32/wmisdk/wmic)*.
8+
9+
## Query
10+
11+
```Kusto
12+
​​// Office products spawning WMI
13+
DeviceProcessEvents
14+
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe")
15+
and FileName =~"wmic.exe"
16+
```
17+
18+
## Category
19+
20+
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
21+
22+
| Technique, tactic, or state | Covered? (v=yes) | Notes |
23+
|-|-|-|
24+
| Initial access | | |
25+
| Execution | v | The query will detect whenever a Microsoft Office product spawns an instance of wmic.exe. This sort of activity, although suspicious, is not by itself actively harmful. Administrators should investigate further to determine if the event was malicious. |
26+
| Persistence | | |
27+
| Privilege escalation | | |
28+
| Defense evasion | | |
29+
| Credential Access | | |
30+
| Discovery | | |
31+
| Lateral movement | | |
32+
| Collection | | |
33+
| Command and control | | |
34+
| Exfiltration | | |
35+
| Impact | | |
36+
| Vulnerability | | |
37+
| Misconfiguration | | |
38+
| Malware, component | | |
39+
40+
## Contributor info
41+
42+
**Contributor:** Microsoft Threat Protection team

0 commit comments

Comments
 (0)