Alert on command - unexpected

Question

Hello,

I am receiving from our security team this alert:

Source IP: 10.16.101.66

Destination IP: 169.254.2.221
Host Name: VIPMEDOLTPDB01.ad
Contact:
Physical Location:

Alert details:
ip_src: 169.254.2.221,
param: wmic /node:10.16.101.66 service where caption like %MSSQLSERVER% get caption /format:csv
filename: WMIC.exe,
alias_host: VIPMEDOLTPDB01.ad

The command appears to be a request to pull a report in csv format on the mentioned node (10.16.101.66). There have been previous alerts indicating that this is legitimate activity. The SOC is escalating to the user/admin of server to verify the legitimacy of this activity and if it is expected so it may be whitelisted/tuned.

Blockquote

What initiate this command? "wmic /node:10.16.101.66 service where caption like %MSSQLSERVER% get caption /format:csv"
Is this command expetected?
What is the results?

10.16.101.66 is the IP address of the cluster node
169.254.2.221 is the IP of the Microsoft Failover Cluster Virtual Adapter

Thanks,
Dom

Answer 1

Hi,

Firstly, please run Cluster Validation to check if there's any error in the report.

Best Regards,
Anne

Answer 2

Hello,

What is the next step to find out what task/job started the wmic command listed above?

Microsoft SQL Server Management Studio 14.0.17213.0
Microsoft Analysis Services Client Tools 14.0.1016.232
Microsoft Data Access Components (MDAC) 10.0.14393.0
Microsoft MSXML 3.0 6.0
Microsoft Internet Explorer 9.11.14393.0
Microsoft .NET Framework 4.0.30319.42000
Operating System 6.3.14393

Thanks,
Dom

Answer 3

Hi,

No Errors

Thanks,
Dom