Find Attacks Using Windows Management Instrumentation
Use these queries to hunt for malicious behavior associated with the Windows Management Instrumentation.
The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.
In this topic:
Wmiprvse.exe with an unsigned parent process
Use this request to find wmiprvse processees executed by an unsigned parent process.
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values":
[
"wmiprvse.exe"
],
"filterType":"Equals"
}
],
"connectionFeature": {
"elementInstanceType":"Process",
"featureName":"parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "signatureVerificationStatusNotSignedEvidence",
"values": [
true
]
}
],
"isResult":true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmiprvse.exe"
],
"filterType": "Equals"
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "signatureVerificationStatusNotSignedEvidence",
"values": [
true
]
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "calculatedName"
query_element_1_filter_value = "wmiprvse.exe"
linking_element = "Process"
linking_feature = "parentProcess"
query_element_2 = "Process"
query_element_2_filter = "signatureVerificationStatusNotSignedEvidence"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"Equals"}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime","commandLine","decodedCommandLine","isImageFileSignedAndVerified","productType","children","parentProcess","ownerMachine","imageFile","calculatedUser","pid"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Wmiprvse.exe with unsigned parent process executed by SYSTEM user
Use this request to find wmiprvse processes executed by an unsigned parent process that is executed by the SYSTEM user.
Child
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType":"User",
"filters": [
{
"facetName":"isLocalSystem",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "User",
"featureName": "processes"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName":"calculatedName",
"values": [
"wmiprvse.exe"
],
"filterType":"Equals"
}
],
"isResult":true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "User",
"filters": [
{
"facetName": "isLocalSystem",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "User",
"featureName": "processes"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "children"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmiprvse.exe"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "User"
query_element_1_filter = "isLocalSystem"
linking_element = "User"
linking_feature = "processes"
query_element_2 = "Process"
query_element_2_filter = "imageFileUnsignedEvidence"
linking_element_2 = "Process"
linking_feature_2 = "children"
query_element_3 = "Process"
query_element_3_filter = "calculatedName"
query_element_3_filter_value = "wmiprvse.exe"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[True]}],"connectionFeature":{"elementInstanceType":linking_element_2,"featureName":linking_feature_2}},{"requestedType":query_element_3,"filters":[{"facetName":query_element_3_filter,"values":[query_element_3_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit": 100,"perFeatureLimit": 100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime","commandLine","decodedCommandLine","isImageFileSignedAndVerified","productType","children","parentProcess","ownerMachine","imageFile","calculatedUser","pid"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Grandchild
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "User",
"filters": [
{
"facetName": "isLocalSystem",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "User",
"featureName": "processes"
}
},
{
"requestedType":"Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmiprvse.exe"
],
"filterType":"Equals"
}
],
"isResult":true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "User",
"filters": [
{
"facetName": "isLocalSystem",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "User",
"featureName": "processes"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmiprvse.exe"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "User"
query_element_1_filter = "isLocalSystem"
linking_element = "User"
linking_feature = "processes"
query_element_2 = "Process"
query_element_2_filter = "imageFileUnsignedEvidence"
linking_element_2 = "Process"
linking_feature_2 = "parentProcess"
query_element_3 = "Process"
linking_element_3 = "Process"
linking_feature_3 = "parentProcess"
query_element_4 = "Process"
query_element_4_filter = "calculatedName"
query_element_4_filter_value = "wmiprvse.exe"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[True]}],"connectionFeature":{"elementInstanceType":linking_element_2,"featureName":linking_feature_2}},{"requestedType":query_element_3,"connectionFeature":{"elementInstanceType":linking_element_3,"featureName":linking_feature_3}},{"requestedType":query_element_4 ,"filters":[{"facetName":query_element_4_filter,"values":[query_element_4_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit": 1000,"perGroupLimit": 100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime","commandLine","decodedCommandLine","isImageFileSignedAndVerified","productType","children","parentProcess","ownerMachine","imageFile","calculatedUser","pid"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Execution of unsigned child or grandchild process by wmic.exe
Use this request to search for unsigned child or grandchild processes executed by wmic.exe.
Children
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmic.exe"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmic.exe"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "imageFileUnsignedEvidence"
linking_element = "Process"
linking_feature = "parentProcess"
query_element_2 = "Process"
query_element_2_filter = "calculatedName"
query_element_2_filter_value = "wmic.exe"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values": [True]}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[{"facetName":query_element_2_filter,"values":[query_element_2_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime","commandLine","decodedCommandLine","isImageFileSignedAndVerified","productType","children","parentProcess","ownerMachine","imageFile","calculatedUser","pid"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))
Grandchild:
Request
curl --request POST \
--url https://12.34.56.78/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"connectionFeature": {
"elementInstanceType":"Process",
"featureName":"parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName":"calculatedName",
"values": [
"wmic.exe"
],
"filterType":"Equals"
}
],
"isResult":true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}'
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
Use this request body:
{
"queryPath": [
{
"requestedType": "Process",
"filters": [
{
"facetName": "imageFileUnsignedEvidence",
"values": [
true
]
}
],
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"connectionFeature": {
"elementInstanceType": "Process",
"featureName": "parentProcess"
}
},
{
"requestedType": "Process",
"filters": [
{
"facetName": "calculatedName",
"values": [
"wmic.exe"
],
"filterType": "Equals"
}
],
"isResult": true
}
],
"totalResultLimit": 1000,
"perGroupLimit": 100,
"perFeatureLimit": 100,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"creationTime",
"endTime",
"commandLine",
"decodedCommandLine",
"isImageFileSignedAndVerified",
"productType",
"children",
"parentProcess",
"ownerMachine",
"imageFile",
"calculatedUser",
"pid",
"iconBase64"
]
}
Request
Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.
import requests
import json
# Login information
username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"
data = {
"username": username,
"password": password
}
headers = {"Content-Type": "application/json"}
base_url = "https://" + server + ":" + port
login_url = base_url + "/login.html"
session = requests.session()
login_response = session.post(login_url, data=data, verify=True)
print (login_response.status_code)
print (session.cookies.items())
# Request URL
endpoint_url = "/rest/visualsearch/query/simple"
api_url = base_url + endpoint_url
# These are the variables that represent different fields in the request.
query_element_1 = "Process"
query_element_1_filter = "imageFileUnsignedEvidence"
linking_element = "Process"
linking_feature = "parentProcess"
query_element_2 = "Process"
linking_element_2 = "Process"
linking_feature_2 = "parentProcess"
query_element_3 = "Process"
query_element_3_filter = "calculatedName"
query_element_3_filter_value = "wmic.exe"
query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values": [True]}],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"connectionFeature":{"elementInstanceType":linking_element_2,"featureName":linking_feature_2}},{"requestedType":query_element_3,"filters":[{"facetName":query_element_3_filter,"values":[query_element_3_filter_value],"filterType":"Equals"}],"isResult": True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ransomwareAutoRemediationSuspended","executionPrevented","creationTime","endTime","commandLine","decodedCommandLine","isImageFileSignedAndVerified","productType","children","parentProcess","ownerMachine","imageFile","calculatedUser","pid"]})
api_headers = {'Content-Type':'application/json'}
api_response = session.request("POST", api_url, data=query, headers=api_headers)
your_response = json.loads(api_response.content)
print(json.dumps(your_response, indent=4, sort_keys=True))