mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
38 lines
1.3 KiB
YAML
38 lines
1.3 KiB
YAML
title: Wmiprvse Spawning Process
|
|
id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
|
|
description: Detects wmiprvse spawning processes
|
|
status: experimental
|
|
date: 2019/08/15
|
|
modified: 2021/02/24
|
|
author: Roberto Rodriguez @Cyb3rWard0g
|
|
references:
|
|
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1047
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ParentImage|endswith: '\WmiPrvSe.exe'
|
|
filter:
|
|
- LogonId:
|
|
- '0x3e7' # LUID 999 for SYSTEM
|
|
- 'null' # too many false positives
|
|
- SubjectLogonId:
|
|
- '0x3e7' # LUID 999 for SYSTEM
|
|
- 'null' # too many false positives
|
|
- User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection
|
|
- Image|endswith:
|
|
- '\WmiPrvSE.exe'
|
|
- '\WerFault.exe'
|
|
filter_null1: # some backends need the null value in a seperate expression
|
|
LogonId: null
|
|
filter_null2: # some backends need the null value in a seperate expression
|
|
SubjectLogonId: null
|
|
condition: selection and not filter and not filter_null1 and not filter_null2
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|