Suspicious Process Lineage - WMI

calendar Mar 26, 2024 · attack.execution attack.t1047  ·
Share on: linkedin copy

In general, trusted binaries and known administrative tools and processes will initiate WMI activity. As such, it makes sense to look for known bad processes launching WMI or deviations from the expected where a legitimate but unusual Windows binary spawns WMI—or spawns from it. The following is an amalgamation of several analytics that can detect a wide array of threats, ranging from red team activity to web shells to coinminers. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Suspicious Process Lineage - WMI
 2id: 75e6bb57-d135-4308-b0ac-936e2d76d4d5
 3status: experimental
 4description: |
 5    In general, trusted binaries and known administrative tools and processes will initiate WMI 
 6    activity. As such, it makes sense to look for known bad processes launching WMI or deviations 
 7    from the expected where a legitimate but unusual Windows binary spawns WMI—or spawns from it. 
 8    The following is an amalgamation of several analytics that can detect a wide array of threats, 
 9    ranging from red team activity to web shells to coinminers. Part of the RedCanary 2024 Threat 
10    Detection Report.    
11references:
12    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
13author: RedCanary, Sigma formatting by Micah Babinski
14date: 2024/03/21
15tags:
16    - attack.execution
17    - attack.t1047
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\wmiprvse.exe'
24        Image|endswith:
25            - '\rundll32.exe'
26            - '\msbuild.exe'
27            - '\powershell.exe'
28            - '\cmd.exe'
29            - '\mshta.exe'
30    condition: selection
31falsepositives:
32    - Unknown
33level: low```

References

Related rules

to-top