Rule : Detection of PsExec and WMI Child Processes Through ASR
Asr Psexec Wmi Child Process Audited Query
Query
DeviceEvents
| where ActionType startswith "AsrPsexecWmiChildProcessAudited" or ActionType startswith "AsrPsexecWmiChildProcessWarnBypassed"
| where FileName != "shutdown.exe"About this query
Rule : Detection of PsExec and WMI Child Processes Through ASR
Description
This detection rule identifies child processes created by PsExec and WMI that have been audited or bypassed by Advanced Security Rules (ASR), excluding shutdown.exe. Monitoring PsExec and WMI child processes is critical because they are commonly used by attackers to execute commands and scripts remotely. These tools are often leveraged for lateral movement and executing malicious payloads on target systems.
This rule helps identify suspicious activity involving PsExec and WMI, excluding legitimate use cases such as system shutdown operations.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypestarts with "AsrPsexecWmiChildProcessAudited" or "AsrPsexecWmiChildProcessWarnBypassed". - The
FileNameis not "shutdown.exe".
- The
Tags
- PsExec
- WMI
- Remote Execution
- Lateral Movement
- Advanced Security Rules (ASR)
- Suspicious Activity
Search Query
Notes
Explanation
Summary of the Query
This query is designed to detect suspicious child processes created by PsExec and WMI that have been either audited or bypassed by Advanced Security Rules (ASR), but it excludes the legitimate process shutdown.exe.
Key Points:
- Purpose: To identify potentially malicious activity involving PsExec and WMI, which are tools often used by attackers for remote command execution and lateral movement within a network.
- Detection Criteria:
- The query looks at
DeviceEvents. - It filters events where the
ActionTypeindicates that a child process was either audited or bypassed by ASR. - It excludes events where the
FileNameisshutdown.exeto avoid false positives from legitimate system shutdown operations.
- The query looks at
- Tags: The query is associated with tags like PsExec, WMI, Remote Execution, Lateral Movement, Advanced Security Rules (ASR), and Suspicious Activity, indicating its focus on detecting remote execution and lateral movement activities.
Search Query Breakdown:
- Data Source:
DeviceEvents - Conditions:
ActionTypestarts with "AsrPsexecWmiChildProcessAudited" or "AsrPsexecWmiChildProcessWarnBypassed".FileNameis not "shutdown.exe".
Practical Use:
This query helps security teams monitor and identify unusual or unauthorized use of PsExec and WMI, which could indicate an ongoing attack or compromise within the network.
Details

Ali Hussein
Released: July 15, 2024
Tables
Keywords
Operators