Windows Script Interpreter Executing Process via WMIedit

Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.

Rule type: eql

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100


  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 1

Added (Elastic Stack release): 7.11.0

Rule authors: Elastic

Rule license: Elastic License

Rule queryedit

sequence by with maxspan=5s [library where :
"wmiutils.dll" and : ("wscript.exe", "cscript.exe")]
[process where event.type in ("start", "process_started") and : "wmiprvse.exe" and user.domain != "NT
AUTHORITY" and ( in
( "cscript.exe",
"wscript.exe", "PowerShell.EXE",
"Cmd.Exe", "MSHTA.EXE",
"MSBuild.exe", "InstallUtil.exe",
"RegAsm.exe", "RegSvcs.exe",
"msxsl.exe", "CONTROL.EXE",
"msiexec.exe" ) or
process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe")
) ]

Threat mappingedit