WmiPrvSe.exe Rare Child Command Line

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
ATT&CK Tactic	Lateral Movement (TA0008) Execution (TA0002)
ATT&CK Technique	Remote Services (T1021) Remote Services: Windows Remote Management (T1021.006) Windows Management Instrumentation (T1047)
Severity	Low

Description

A remote WMI command executed a binary proxy, the Windows Management Instrumentation (WMI) Provider Host wmiprvse.exe, which executed a rare child command line. Executing a rare child process can be an indication of remote code execution abuse by an attacker.

Attacker's Goals

Gain code execution on a remote host.

Investigative actions

Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators.
Correlate the RPC call from the source host and understand what initiated it.

Variations

WmiPrvSe.exe Rare Child Command Line

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Attacker's Goals

Gain code execution on a remote host.

Investigative actions

Investigate the processes being spawned from WmiPrvse.exe on the host for malicious indicators.
Correlate the RPC call from the source host and understand what initiated it.