Dev-0270 WMIC Discovery
| Id | 6b652b4f-9810-4eec-9027-7aa88ce4db23 |
| Rulename | Dev-0270 WMIC Discovery |
| Description | The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment. |
| Severity | High |
| Tactics | Discovery |
| Techniques | T1482 |
| Required data connectors | MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml |
| Version | 1.0.4 |
| Arm template | 6b652b4f-9810-4eec-9027-7aa88ce4db23.json |
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
),
(DeviceProcessEvents
| where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
tags:
- Dev-0270
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Account
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
tactics:
- Discovery
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
- dataTypes:
- SecurityEvent
connectorId: WindowsSecurityEvents
- dataTypes:
- DeviceProcessEvents
connectorId: MicrosoftThreatProtection
id: 6b652b4f-9810-4eec-9027-7aa88ce4db23
severity: High
status: Available
query: |
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has "wmic computersystem get domain" and ParentProcessName has "dllhost.exe"
| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
),
(DeviceProcessEvents
| where ProcessCommandLine has "wmic computersystem get domain" and InitiatingProcessFileName =~ "dllhost.exe" and InitiatingProcessCommandLine has "dllhost.exe"
| extend Account = strcat(InitiatingProcessAccountDomain, @'\', InitiatingProcessAccountName), Computer = DeviceName
)
)
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev 0270 Detection and Hunting/Analytic Rules/Dev-0270WMICDiscoverySep2022.yaml
kind: Scheduled
queryPeriod: 6h
version: 1.0.4
name: Dev-0270 WMIC Discovery
queryFrequency: 6h
triggerThreshold: 0
relevantTechniques:
- T1482
description: |
'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'
triggerOperator: gt