This artifact the endpoints for process creation through WMI events. This is a common attacker lateral movement technique.
The technique works by calling the Create() method on the win32_process WMI object.
You can test this with powershell: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
This artifact uses the EWT provider: Microsoft-Windows-WMI-Activity {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
name: Windows.ETW.WMIProcessCreate
description: |
This artifact the endpoints for process creation through WMI
events. This is a common attacker lateral movement technique.
The technique works by calling the Create() method on the
win32_process WMI object.
You can test this with powershell:
Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
This artifact uses the EWT provider:
Microsoft-Windows-WMI-Activity {1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}
type: CLIENT_EVENT
sources:
- query: |
LET hits = SELECT
System.ID AS ID,
System.TimeStamp AS Timestamp,
get(member="EventData") AS EventData
FROM watch_etw(
description="Microsoft-Windows-WMI-Activity",
guid="{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}")
WHERE ID = 23
SELECT ID, Timestamp, EventData.ClientMachine AS Hostname,
{
SELECT Pid, Name, Exe from pslist(pid=int(int=EventData.ClientProcessId))
} AS ClientProcessInfo,
{
SELECT Pid, Name, Exe from pslist(pid=int(int=EventData.CreatedProcessId))
} AS CreatedProcessInfo,
timestamp(winfiletime=int(int=EventData.ClientProcessCreationTime)) AS ClientProcessCreationTime,
timestamp(winfiletime=int(int=EventData.CreatedProcessCreationTime)) AS CreatedProcessCreationTime,
EventData.Commandline AS Commandline,
EventData.User AS User
FROM hits