title: Wmiprvse Spawning Process
id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
description: Detects wmiprvse spawning processes
status: experimental
date: 2019/08/15
modified: 2021/02/24
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\WmiPrvSe.exe'
    filter:
        - LogonId: 
            - '0x3e7'  # LUID 999 for SYSTEM
            - 'null'   # too many false positives
        - SubjectLogonId:
            - '0x3e7'  # LUID 999 for SYSTEM
            - 'null'   # too many false positives
        - User: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
        - Image|endswith: 
            - '\WmiPrvSE.exe'
            - '\WerFault.exe'
    filter_null1:  # some backends need the null value in a seperate expression
        LogonId: null
    filter_null2:  # some backends need the null value in a seperate expression
        SubjectLogonId: null
    condition: selection and not filter and not filter_null1 and not filter_null2
falsepositives:
    - Unknown
level: high