Deployable detection rules
1 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
1 shown of 1Windows Process Commandline Discovery
The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` Processes.process= "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_commandline_discovery_filter`Showing 1-1 of 1