cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wyrm
Level 10
Report Inappropriate Content
Message 1 of 7

ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

I'm looking for some assistance on how to prevent REMOTE execution of applications via WMIPRVSE.exe.

Example: computer #1 has a RAT installed.  Attacker is using WMIC.exe on computer #1 to remotely execute an application on computer #2.  On computer #2, the process chain will be WMIPRVSE.exe > someprocess.exe.  I'm looking for a rule that would block WMIPRVSE.exe from launching any executable on computer #2 (rule would exist on computer #2), but only if it's initiated from a remote computer.  WMIPRVSE.exe should be able to launch processes if the file is not executed remotely.

McAfee released a somewhat similar rule for preventing the spreading of Goga ransomware (prevent remote writing a file type, then execution via CMD but I'm not sure how to modify it to do what I'm looking for:

Rule {
Process {
Include OBJECT_NAME { -v “SYSTEM:REMOTE” }
          }
Target {
Match FILE {
Include OBJECT_NAME { -v “c:\\windows\\temp\\*.exe” }
Include OBJECT_NAME { -v “c:\\windows\\temp\\*.bat” }
Include -access “CREATE”
          }
     }
}

Rule {
Process {
Include OBJECT_NAME { -v “WmiPrvSE.exe” }
                }

Target {
Match PROCESS {
Include OBJECT_NAME { -v “cmd.exe”}
Include -access “CREATE”
                                       }
              }
}

Labels (2)
1 Solution

Accepted Solutions
Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

JTI covers that if you have ATP installed.

I might suggest three following due to possible obfuscation. 

"*process*call*create*"

Dave

View solution in original post

6 Replies
Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

I'd like to backtrack a bit here.  How did the rat get on system 1?  Let's address that vector. Office?  That is relatively easy to tackle.  If you need help with a rule to cover 98% of what Office can do, I'm happy to help there.

For wmic, have an Expert Rule block remote process execution via it.  How does the file get to the windows temp folder?  Let's address that vector.   

wmiprvse -> cmd will be way noisy.  

Dave

wyrm
Level 10
Report Inappropriate Content
Message 3 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

Office has been addressed for the most part, by Powershell exploit rules and custom Access Protection rules.

What I'm trying to address in an expert rule is preventing lateral movement using WMI, which has been used in recent targeted ransomware attacks, from unmanaged devices or devices whose protection is compromised.  I'm already blocking PSEXEC usage but need to tackle remote execution by WMI, where there should not be any legitimate usage of this in my environment.  

So I'm looking for a Remote system trying to execute anything on the system using WMI, by either existing processes on the system (CMD, Powershell) or if it drops an executable on the system and tries to execute it remotely.

Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

That is a tough one.  I might look at targeting file creation from SYSTEM:REMOTE in the temp folder.  I'm not sure how the ransomware gets on there, but that might cover you.  

wyrm
Level 10
Report Inappropriate Content
Message 5 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

Instead of focusing on the destination computer, I decided to focus on lateral movement from the source.  In this case, a expert rule to prevent a WMIC command that contains PROCESS CALL CREATE, to protect against something like this:

wmic /node:192.168.0.2 /user:xxxx process call create “cmd.exe /c notepad.exe”

Rule {
           Process {
                  Include OBJECT_NAME { -v "**"}
                       }
Target {
           Match PROCESS {
                       Include OBJECT_NAME { -v "wmic.exe"}
                       Include PROCESS_CMD_LINE {
                                    -v "*process call create*"

                                                                    }
                      Include -access "CREATE"
                                      }
         }
}

Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

JTI covers that if you have ATP installed.

I might suggest three following due to possible obfuscation. 

"*process*call*create*"

Dave

View solution in original post

wyrm
Level 10
Report Inappropriate Content
Message 7 of 7

Re: ENS Expert rule to prevent REMOTE execution of applications via WMIPRVSE.exe

Jump to solution

Great, thanks for the info.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community