Detect Lateral Movement With WMI

Detect Lateral Movement With WMI

Description

This use case looks for WMI being used for lateral movement.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Lateral Movement, Ransomware

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 3

MITRE ATT&CK Tactics

Lateral Movement
Execution

MITRE ATT&CK Techniques

Remote Services
Windows Management Instrumentation

MITRE Threat Groups

Threat Group-3390
Lazarus Group
APT41
Deep Panda
MuddyWater
APT29
Blue Mockingbird
Chimera
APT32
menuPass
Stealth Falcon
Leviathan
FIN6
Frankenstein
FIN8
Wizard Spider
Soft Cell
OilRig

Kill Chain Phases

Installation
Actions On Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires Sysmon to be installed on the endpoints you wish to monitor and the Sysmon add-on installed on your forwarders and search heads.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process and investigate the actions taken by this process.

   Help

Detect Lateral Movement With WMI Help

This use case looks for WMI being used for lateral movement.

SPL for Detect Lateral Movement With WMI

Demo Data

First we load our basic demo data
Next we look for any instances of WMIC (Windows Management Instrumentation Command-line) being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.

Live Data

First we load our Sysmon EDR (though any other process launch logs with the full command line would suffice) data. We look for any instances of WMIC (Windows Management Instrumentation Command-line) being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields are in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.