SigmaHQ/rules/windows/process_creation/win_susp_wmi_execution.yml

34 lines
1.1 KiB
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Suspicious WMI Execution
2019-11-12 22:12:27 +00:00
id: 526be59f-a573-4eea-b5f7-f0973207634d
status: experimental
description: Detects WMI executing suspicious commands
references:
- https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/
author: Michael Haag, Florian Roth, juju4
date: 2019/01/16
logsource:
category: process_creation
product: windows
detection:
selection:
Image:
- '*\wmic.exe'
CommandLine:
- '*/NODE:*process call create *'
- '* path AntiVirusProduct get *'
- '* path FirewallProduct get *'
- '* shadowcopy delete *'
condition: selection
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.execution
- attack.t1047
- car.2016-03-002
falsepositives:
2020-10-12 07:18:42 +00:00
- If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine
level: medium