Wsmprovhost LOLBAS Execution Process Spawn

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the execution of Living Off The Land Binaries and Scripts (LOLBAS) through a child process spawned by Wsmprovhost.exe.

Data source

Windows: Network traffic, process, user account

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005 - Defense Evasion, TA0003 - Persistence, TA0004 - Privilege Escalation

Techniques: T1036 - Masquerading, T1574 - Hijack Execution Flow

Sub-techniques: T1036.005 - Masquerade Task or Service

Criteria:

Parent Process Monitoring:

The rule focuses on the parent process of another process. A parent process initiates the creation of another process, which is called the child process. In this case, the rule looks for specific names of the parent process:

• Windows\System32\wsmprovhost.exe
• Windows\SysWow64\wsmprovhost.exe
• WINNT\system32\wsmprovhost.exe

These names correspond to the legitimate Windows process wsmprovhost.exe, which is responsible for Windows Management Instrumentation (WMI). WMI is a core Windows component that allows applications to manage the system.

Child Process:

The rule then checks the name of the child process initiated by one of the aforementioned parent processes.

When to enable this rule:

Enable this rule when the user wants to detect suspicious lateral movement or potential code execution leveraging legitimate binaries. Wsmprovhost.exe spawning LOLBAS can be a sign of attackers abusing Windows Remote Management (WinRM) to execute malicious code.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

NIST Cybersecurity Framework (CSF):

DE.AE (Detection Processes):

• DE.AE-1: Anomalies and Events - Detecting unusual activity that could indicate cybersecurity events, including non-standard parent-child process relationships.
  • This requirement is met by all listed suspicious parent processes spawning various system and service processes as they involve non-standard parent-child process relationships.

DE.CM (Security Continuous Monitoring):

• DE.CM-1:Monitoring Network and Physical Environments - Monitoring systems for signs of unauthorized access or anomalous behavior, such as unexpected parent processes.

Continuous monitoring of system processes, including those spawned by suspicious parent processes, is essential for detecting unauthorized access or anomalous behavior.

CIS:

CIS Control 8 (Malware Defense):

• Preventing and defending against the execution of malicious code at multiple points in the enterprise, which includes monitoring for and responding to suspicious process spawning.
  • Monitoring for and responding to suspicious process spawning activities, as listed, is crucial for effective malware defense.

CIS Control 6 (Maintenance, Monitoring, and Analysis of Audit Logs):

• Collecting, managing, and analyzing audit logs to detect unusual activities and indications of potential security incidents, including logs that could signal unauthorized process spawning.

Audit logs should be collected, managed, and analyzed to detect unusual activities related to process spawning, aiding in the identification of potential security incidents.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.