Find Attacks Using Windows Management Instrumentation

Use these queries to hunt for malicious behavior associated with the Windows Management Instrumentation.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Wmiprvse.exe with an unsigned parent process

Use this request to find wmiprvse processees executed by an unsigned parent process.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "calculatedName",
                                            "values":
                                                      [
                                                        "wmiprvse.exe"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType":"Process",
                                                    "featureName":"parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "signatureVerificationStatusNotSignedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                              ]
            }'

Wmiprvse.exe with unsigned parent process executed by SYSTEM user

Use this request to find wmiprvse processes executed by an unsigned parent process that is executed by the SYSTEM user.

Child

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType":"User",
                              "filters": [
                                          {
                                            "facetName":"isLocalSystem",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "User",
                                                    "featureName": "processes"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "imageFileUnsignedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "children"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName":"calculatedName",
                                            "values": [
                                                        "wmiprvse.exe"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                               ]
            }'

Grandchild

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "User",
                              "filters": [
                                          {
                                            "facetName": "isLocalSystem",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "User",
                                                    "featureName": "processes"
                                                   }
                            },
                            {
                              "requestedType":"Process",
                              "filters": [
                                          {
                                            "facetName": "imageFileUnsignedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "calculatedName",
                                            "values": [
                                                        "wmiprvse.exe"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                              ]
            }'

Execution of unsigned child or grandchild process by wmic.exe

Use this request to search for unsigned child or grandchild processes executed by wmic.exe.

Children

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "imageFileUnsignedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "calculatedName",
                                            "values": [
                                                        "wmic.exe"
                                                      ],
                                            "filterType": "Equals"
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                              ]
            }'

Grandchild:

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "imageFileUnsignedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "Process",
                                                    "featureName": "parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "connectionFeature": {
                                                    "elementInstanceType":"Process",
                                                    "featureName":"parentProcess"
                                                   }
                            },
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName":"calculatedName",
                                            "values": [
                                                        "wmic.exe"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid",
                                "iconBase64"
                              ]
            }'