KQL Search

Query Details

HomeAI ToolsDevice Query

Asr Psexec Wmi Child Process Audited Query

Query

# Rule : Detection of PsExec and WMI Child Processes Through ASR

## Description
This detection rule identifies child processes created by PsExec and WMI that have been audited or bypassed by Advanced Security Rules (ASR), excluding `shutdown.exe`. Monitoring PsExec and WMI child processes is critical because they are commonly used by attackers to execute commands and scripts remotely. These tools are often leveraged for lateral movement and executing malicious payloads on target systems.

This rule helps identify suspicious activity involving PsExec and WMI, excluding legitimate use cases such as system shutdown operations.

## Detection Logic
- Monitors `DeviceEvents` for events where:
  - The `ActionType` starts with "AsrPsexecWmiChildProcessAudited" or "AsrPsexecWmiChildProcessWarnBypassed".
  - The `FileName` is not "shutdown.exe".

## Tags
- PsExec
- WMI
- Remote Execution
- Lateral Movement
- Advanced Security Rules (ASR)
- Suspicious Activity

## Search Query
```kql
DeviceEvents
| where ActionType startswith "AsrPsexecWmiChildProcessAudited" or ActionType startswith "AsrPsexecWmiChildProcessWarnBypassed" 
| where FileName != "shutdown.exe"
```
# Notes

Explanation

Summary of the Query

This query is designed to detect suspicious child processes created by PsExec and WMI that have been either audited or bypassed by Advanced Security Rules (ASR), but it excludes the legitimate process shutdown.exe.

Key Points:

  1. Purpose: To identify potentially malicious activity involving PsExec and WMI, which are tools often used by attackers for remote command execution and lateral movement within a network.
  2. Detection Criteria:
    • The query looks at DeviceEvents.
    • It filters events where the ActionType indicates that a child process was either audited or bypassed by ASR.
    • It excludes events where the FileName is shutdown.exe to avoid false positives from legitimate system shutdown operations.
  3. Tags: The query is associated with tags like PsExec, WMI, Remote Execution, Lateral Movement, Advanced Security Rules (ASR), and Suspicious Activity, indicating its focus on detecting remote execution and lateral movement activities.

Search Query Breakdown:

  • Data Source: DeviceEvents
  • Conditions:
    • ActionType starts with "AsrPsexecWmiChildProcessAudited" or "AsrPsexecWmiChildProcessWarnBypassed".
    • FileName is not "shutdown.exe".

Practical Use:

This query helps security teams monitor and identify unusual or unauthorized use of PsExec and WMI, which could indicate an ongoing attack or compromise within the network.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 15, 2024

Tables

DeviceEvents

Keywords

Devices

Operators

|wherestartswithor!=

Actions