valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c0ac9b8fb9
SigmaHQ/rules/windows/sysmon/sysmon_wmi_module_load.yml

32 lines
932 B
YAML
Raw Normal View History

added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml
2019-10-24 13:48:38 +00:00
title: T1047 WMI Modules Loaded
description: Detects non wmiprvse loading WMI modules
status: experimental
date: 2019/08/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
ImageLoaded:
- '*wmiclnt.dll'
- '*WmiApRpl.dll'
- '*wmiprov.dll'
- '*wmiutils.dll'
- '*wbemcomn.dll'
- '*wbemprox.dll'
- '*WMINet_Utils.dll'
- '*wbemsvc.dll'
- '*fastprox.dll'
filter:
Image:
- '*WmiPrvSe.exe'
- '*WmiAPsrv.exe'
- '*svchost.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Reference in New Issue Copy Permalink