Closed DefSecSentinel closed 2 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
Description
Threat actors can utilize WMI modules to execute WMI commands that bypass monitoring for traditional WMI activity (e.g wmiprvse.exe or wmiapsrv.exe).
Required Info
Target indexes
logs-, winlogbeat-\
Additional requirements
Target Operating Systems
windows
Platforms
Tested ECS Version
7.15.0
Optional Info
Query
New fields required in ECS/data sources for this rule?
Related issues or PRs
References
https://attack.mitre.org/techniques/T1047/
https://attack.mitre.org/techniques/T1518/
Example Data