Unusual Module Loads - WMI

 1title: Unusual Module Loads - WMI
 2id: b62ec77f-8014-42be-9874-c155f9ce6fae
 3status: experimental
 4description: |
 5    By monitoring and detecting on module loads, you can catch a variety of different malicious 
 6    activities, including defense evasion and credential theft. In cases where an adversary is 
 7    using WMI for credential theft, consider looking for the execution of wmiprvse.exe (or its 
 8    child processes) with unusual module loads like samlib.dll or vaultcli.dll. WMI is also a 
 9    useful vehicle for bypassing application controls, and we commonly see adversaries—real and 
10    simulated–using a WMI bypass method called “SquibblyTwo.” The following pseudo-detection 
11    analytic is designed specifically to catch application control bypasses, but you can likely 
12    adapt it to detect other threats by substituting in a different DLL or by removing the command. 
13    Part of the RedCanary 2024 Threat Detection Report.    
14references:
15    - https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
16author: RedCanary, Sigma formatting by Micah Babinski
17date: 2024/03/21
18tags:
19    - attack.execution
20    - attack.t1047
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\wmic.exe'
27        CommandLine|contains: 'format:' # this field may not be available
28        ImageLoaded|contains:
29            - 'jscript.dll'
30            - 'vbscript.dll'
31    condition: selection
32falsepositives:
33    - Unknown
34level: low```