Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

8 alerts match the current filters. technique: T1047 ✕

Show ATT&CK heatmap
  • Command execution via wmiexec Informational

    Attackers may use WMI to execute commands on the target host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Execute commands on the victim host.
    Investigative actions: Correlate the RPC call from the source host and understand which process initiated it.
  • DSC (Desired State Configuration) lateral movement using PowerShell Informational 3 variations

    An attacker is using the DSC feature with PowerShell to remotely modify / execute content / components on the machine.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Hour
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Remote Services: Windows Remote Management (T1021.006)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Execute malicious content on and move laterally across machine in the network.
    Investigative actions: Search for suspicious WinRM sessions and the user created them, can be found at Event ID: 4102. Additionally, search for the DSC resource executed and related IOC, can be found at Event IDs: 400 or 4104.

    Variations

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a script

    High overridden

    An attacker may use the DSC feature with PowerShell to execute script remotely on a machine. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to execute a new service

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create and execute a service on the host. overridden

    DSC (Desired State Configuration) lateral movement using PowerShell to modify the registry

    Medium overridden

    An attacker may use the DSC feature with PowerShell to create/modify/dump registry keys/values. overridden

  • Potential SCCM credential harvesting using WMI detected Low 3 variations

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Credential Access (TA0006)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Unsecured Credentials (T1552)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Microsoft SCCM Analytics
    Attacker's goals: Obtain credentials used by the SCCM service.
    Investigative actions: Examine the process that executed the WMI query and the CGO and verify that the processes are from a trusted source. Inspect the system for malicious activity that is related to that process.

    Variations

    Potential SCCM credential harvesting using WMI detected from a remote machine

    Medium overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential SCCM inventory query using WMI detected

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

    Potential Enumeration of SCCM User, Device, and Deployment Data via WMI

    Low overridden

    Attackers or malware may use WMI queries to obtain domain credentials that are used by the SCCM. overridden

  • Remote command execution via wmic.exe Low 1 variation

    Remote command execution using the Windows Management Instrumentation command-line tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: The attacker is expanding his reach into your network by executing commands on a remote endpoint.
    Investigative actions: Examine Alert Details > Overview to identify the source endpoint, process running the command execution, process owner, and execution destination.

    Variations

    Remote command execution via wmic.exe

    Medium overridden

    Remote command execution using the Windows Management Instrumentation command-line tool. overridden

  • Scrcons.exe Rare Child Process Informational 1 variation

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Windows Management Instrumentation (T1047) Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
    Required data: XDR Agent
    Attacker's goals: The attacker is trying to gain Persistence via WMI script registration.
    Investigative actions: Search for any executions of the Managed Object Format (MOF) compiler mofcomp.exe and review the process that ran it. Review registered WMI ActiveScriptEventConsumer by running "WMIC /namespace:\\root\default path ActiveScriptEventConsumer get ".

    Variations

    Scrcons.exe Rare Child Process

    Medium overridden

    The Windows Management Instrumentation (WMI) standard event consumer scrcons.exe executed a rare VBScript or PowerShell script. Executing a rare script can be an indication of local or remote code execution abuse by an attacker. overridden

  • System profiling WMI query execution Informational

    Attackers or malware may use WMI queries to identify the system and evade execution in sandbox environments.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Information Discovery (T1082)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to identify system components and prevent execution in sandbox \ virtualized environments to evade detection.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.
  • User discovery via WMI query execution Informational 3 variations

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Windows Management Instrumentation (T1047) System Owner/User Discovery (T1033) Account Discovery (T1087)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Attacker's goals: Attacker or malware can use WMI queries to discover host users and enumerate a huge amount of information.
    Investigative actions: Examine the process that executed the WMI query and verify that the process is from a trusted source. Inspect the system for suspicious activity that is related to that process.

    Variations

    User discovery via WMI query execution by an unsigned process

    Low overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

    User modification via WMIC query execution

    Low overridden

    Attackers or malware may use WMI queries to modify the users of a host, and potentially its owner. overridden

    User discovery via WMIC query execution

    Informational overridden

    Attackers or malware may use WMI queries to list the users of a host, and potentially its owner. overridden

  • WmiPrvSe.exe Rare Child Command Line Low 1 variation

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
    Required data: XDR Agent
    Attacker's goals: Gain code execution on a remote host.
    Investigative actions: Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators. Correlate the RPC call from the source host and understand what initiated it.

    Variations

    WmiPrvSe.exe Rare Child Command Line

    Medium overridden

    A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker. overridden