SigmaHQ/rules/windows/process_creation/win_wmiprvse_spawning_process.yml

26 lines
849 B
YAML
Raw Normal View History

title: Wmiprvse Spawning Process
id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
description: Detects wmiprvse spawning processes
status: experimental
date: 2019/08/15
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WmiPrvSe.exe'
filter:
- LogonId: '0x3e7' # LUID 999 for SYSTEM
- Username: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
condition: selection and not filter
falsepositives:
- Unknown
level: critical