SigmaHQ/rules/windows/image_load/sysmon_wmi_module_load.yml
2021-07-01 12:18:30 +05:45

50 lines
1.4 KiB
YAML
Executable File

title: WMI Modules Loaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
description: Detects non wmiprvse loading WMI modules
status: experimental
date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
tags:
- attack.execution
- attack.t1047
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\wmiclnt.dll'
- '\WmiApRpl.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\WMINet_Utils.dll'
- '\wbemsvc.dll'
- '\fastprox.dll'
filter:
Image|endswith:
- '\WmiPrvSe.exe'
- '\WmiAPsrv.exe'
- '\svchost.exe'
- '\DeviceCensus.exe'
- '\CompatTelRunner.exe'
- '\sdiagnhost.exe'
- '\SIHClient.exe'
- '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
- '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
condition: selection and not filter
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Unknown
level: high