Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dev-0270 WMIC Discovery

Dev-0270 WMIC Discovery

Back
Id6b652b4f-9810-4eec-9027-7aa88ce4db23
RulenameDev-0270 WMIC Discovery
DescriptionThe query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.
SeverityHigh
TacticsDiscovery
TechniquesT1482
Required data connectorsMicrosoftThreatProtection
SecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml
Version1.0.4
Arm template6b652b4f-9810-4eec-9027-7aa88ce4db23.json
Deploy To Azure
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
),
(DeviceProcessEvents 
| where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Dev-0270 WMIC  Discovery
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml
queryPeriod: 6h
severity: High
tags:
- Dev-0270
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
queryFrequency: 6h
relevantTechniques:
- T1482
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
- dataTypes:
  - SecurityEvent
  connectorId: WindowsSecurityEvents
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
description: |
    'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'
tactics:
- Discovery
query: |
  (union isfuzzy=true
  (SecurityEvent
  | where EventID==4688
  | where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
  | project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
  ),
  (DeviceProcessEvents 
  | where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
  | extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
  )
  )
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])  
id: 6b652b4f-9810-4eec-9027-7aa88ce4db23
version: 1.0.4

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b652b4f-9810-4eec-9027-7aa88ce4db23')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b652b4f-9810-4eec-9027-7aa88ce4db23')]",
      "properties": {
        "alertRuleTemplateName": "6b652b4f-9810-4eec-9027-7aa88ce4db23",
        "customDetails": null,
        "description": "'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'\n",
        "displayName": "Dev-0270 WMIC  Discovery",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml",
        "query": "(union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where CommandLine has \"wmic computersystem get domain\" and ParentProcessName has \"dllhost.exe\"\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n),\n(DeviceProcessEvents \n| where ProcessCommandLine has \"wmic computersystem get domain\" and InitiatingProcessFileName =~ \"dllhost.exe\" and InitiatingProcessCommandLine has \"dllhost.exe\"\n| extend Account = strcat(InitiatingProcessAccountDomain, @'\\', InitiatingProcessAccountName), Computer = DeviceName\n)\n)\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, @'\\')[1]), AccountNTDomain = tostring(split(Account, @'\\')[0])\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "tags": [
          "Dev-0270"
        ],
        "techniques": [
          "T1482"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}