SigmaHQ/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml

action: global
title: Wmiprvse Wbemcomn DLL Hijack
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
status: experimental
date: 2020/10/12
modified: 2021/06/10
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral_movement
    - attack.t1021.002
references:
    - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html
falsepositives:
    - Unknown
level: critical
--- 
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
---
logsource:
    product: windows
    category: image_load
detection: 
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`action: global`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`title: Wmiprvse Wbemcomn DLL Hijack`
			`id: 614a7e17-5643-4d89-b6fe-f9df1a79641c`
			description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
			`status: experimental`
			`date: 2020/10/12`
$frack113$ forget to add modified 2021-06-10 15:27:15 +00:00			`modified: 2021/06/10`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)`
			`tags:`
			`- attack.execution`
			`- attack.t1047`
			`- attack.lateral_movement`
			`- attack.t1021.002`
			`references:`
			`- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html`
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`falsepositives:`
			`- Unknown`
			`level: critical`
			`---`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`logsource:`
			`product: windows`
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`category: file_event`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`detection:`
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`selection:`
10 rules from THP - contributing soon 2020-10-12 19:42:34 +00:00			`Image: System`
Fixes&improvements 2021-04-07 22:32:01 +00:00			`TargetFilename\|endswith: '\wbem\wbemcomn.dll'`
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`condition: selection`
			`---`
			`logsource:`
			`product: windows`
			`category: image_load`
			`detection:`
			`selection:`
Fixes&improvements 2021-04-07 22:32:01 +00:00			`Image\|endswith: '\wmiprvse.exe'`
			`ImageLoaded\|endswith: '\wbem\wbemcomn.dll'`
$frack113$ Split to Convert eventID to correct category 2021-06-10 14:58:45 +00:00			`condition: selection`