KQL Search

Query Details

HomeAI ToolsDevice Query

Endpoint Impacket Wmi LMP

Query

name : Credential Access - Hunting for Impacket Wmiexec activity
description : 
- There are some indicators for hunting "Impacket Wmiexec" activity
- Suspicious processes such as CMD.EXE or POWERSHELL.EXE running as a child process to WMIPRVSE.EXE are a red flag
- Execution of CMD.EXE will use the parameters of /Q /c
reference : 
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
table : 
- DeviceEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide
- DeviceProcessEvents
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide
query : |
    //Case1
    DeviceEvents
    | where Timestamp > ago(7d)
    | where ActionType == "ProcessCreatedUsingWmiQuery" 
    | where FileName == "cmd.exe"
    | where ProcessCommandLine contains "/Q /c"
    | project Timestamp, DeviceId, DeviceName, ActionType, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine


    //Case2
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessParentFileName == "WmiPrvSE.exe"
    | where InitiatingProcessFolderPath has "cmd.exe"
    | where InitiatingProcessCommandLine contains "/Q /c"
    | project Timestamp, DeviceId, DeviceName, ActionType, FolderPath, FileName, InitiatingProcessCommandLine, ProcessCommandLine

Explanation

This query is used to hunt for "Impacket Wmiexec" activity, which is a suspicious activity that could indicate a security threat. The query looks for two different cases:

Case 1: It searches for instances where the "cmd.exe" process is created using a WMI query and the process command line contains "/Q /c" parameters. It retrieves information such as the timestamp, device ID, device name, action type, folder path, file name, process command line, and initiating process command line.

Case 2: It looks for events in the DeviceProcessEvents table where the parent process of the initiating process is "WmiPrvSE.exe", the initiating process folder path contains "cmd.exe", and the initiating process command line contains "/Q /c" parameters. It retrieves similar information as in Case 1. These cases help identify potential instances of "Impacket Wmiexec" activity and can be used for further investigation and mitigation.

Details

Kijo Girardi profile picture

Kijo Girardi

Released: March 3, 2023

Tables

DeviceEventsDeviceProcessEvents

Keywords

DeviceEvents,DeviceProcessEvents,Timestamp,ActionType,FileName,ProcessCommandLine,InitiatingProcessCommandLine

Operators

toscalar()arg_max()count()mv-expand

Actions