SigmaHQ/rules/windows/sysmon/sysmon_susp_wmi_execution.yml

30 lines
1021 B
YAML
Raw Normal View History

2017-03-29 20:11:05 +00:00
title: Suspicious WMI execution
status: experimental
2017-03-29 20:11:05 +00:00
description: Detects WMI executing suspicious commands
references:
2017-03-29 20:11:05 +00:00
- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
author: Michael Haag, Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image:
- '*\wmic.exe'
CommandLine:
2017-03-29 20:11:05 +00:00
- '*/NODE:*process call create *'
- '* path AntiVirusProduct get *'
- '* path FirewallProduct get *'
- '* shadowcopy delete *'
condition: selection
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
falsepositives:
2017-03-29 20:11:05 +00:00
- Will need to be tuned
- If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine.
level: medium