Office Products Spawning WMI (RedCanary Threat Detection Report)
Detects MS Office applications spawning WMI processes. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Office Products Spawning WMI (RedCanary Threat Detection Report)
2id: 6335a2c2-5339-443a-b00c-ebffc9ffc321
3status: experimental
4description: Detects MS Office applications spawning WMI processes. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1047
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentImage|endswith:
18 - '\winword.exe'
19 - '\excel.exe'
20 Image|endswith:
21 - '\wmic.exe'
22 - '\wmiprvse.exe'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
Related rules
- WMI Reconnaissance (RedCanary Threat Detection Report)
- WMI Shadow Copy Deletion (RedCanary Threat Detection Report)
- WMI Suspicious Commands (RedCanary Threat Detection Report)
- WMI Suspicious Powershell Cmdlets (RedCanary Threat Detection Report)
- WMI Suspicious Process Lineage (RedCanary Threat Detection Report)