WMIC Remote Command Execution
WMIC Remote Command
Query
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
DeviceProcessEvents
| where FileName =~ "WMIC.exe"
// Extract IP Addresses from the commandline
| extend RemoteIP = extract(IPRegex, 0, ProcessCommandLine)
// Only select commandlines that have a remote IP
| where isnotempty(RemoteIP)
// Filter Localhost, more IPs can be added to this list if they generate false postives.
| where not( RemoteIP in ('127.0.0.1'))
| project TimeGenerated, DeviceName, ProcessCommandLine, RemoteIPAbout this query
Explanation
This query is designed to detect potentially malicious activity involving the use of the Windows Management Instrumentation Command-line (WMIC) tool. WMIC can be used by attackers to execute commands on remote systems, which is a technique associated with lateral movement within a network.
Here's a simple breakdown of what the query does:
-
Identify WMIC Usage: It looks for events where the
WMIC.exeprocess is executed on a device. -
Extract IP Addresses: The query extracts IP addresses from the command line arguments of the WMIC process. This is done using a regular expression that matches the pattern of an IP address.
-
Filter for Remote IPs: It filters out any command lines that do not contain an IP address, focusing only on those that do. This is because the presence of an IP address often indicates a remote connection attempt.
-
Exclude Localhost: The query specifically excludes the localhost IP address (
127.0.0.1) from the results, as this is not indicative of remote activity. -
Output Relevant Information: Finally, it outputs the timestamp, device name, command line, and remote IP address for each relevant event. This information can be used to investigate potential unauthorized remote command execution.
Overall, the query helps security teams identify and investigate suspicious use of WMIC for remote command execution, which could be indicative of an attack or unauthorized access attempt.
