Detect Lateral Movement With WMI

Description

This use case looks for WMI being used for lateral movement.


Use Case

Advanced Threat Detection

Category

Lateral Movement

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Lateral Movement
Execution

MITRE ATT&CK Techniques

Remote Services
Windows Management Instrumentation

MITRE Threat Groups

APT29
APT32
APT39
APT41
Deep Panda
FIN6
FIN8
GCMAN
Lazarus Group
Leviathan
MuddyWater
OilRig
Soft Cell
Stealth Falcon
TEMP.Veles
Threat Group-3390
menuPass

Kill Chain Phases

Installation
Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires Sysmon to be installed on the endpoints you wish to monitor and the Sysmon add-on installed on your forwarders and search heads.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process and investigate the actions taken by this process.

   Help

Detect Lateral Movement With WMI Help

This use case looks for WMI being used for lateral movement.

SPL for Detect Lateral Movement With WMI

Demo Data

First we load our basic demo data
Next we look for any instances of WMIC (Windows Management Instrumentation Command-line) being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.

Live Data

First we load our Sysmon EDR (though any other process launch logs with the full command line would suffice) data. We look for any instances of WMIC (Windows Management Instrumentation Command-line) being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.