Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
Sigma rule (View on GitHub)
1title: Successful Account Login Via WMI
2id: 5af54681-df95-4c26-854f-2565e13cfab0
3status: stable
4description: Detects successful logon attempts performed with WMI
5references:
6 - Internal Research
7author: Thomas Patzke
8date: 2019/12/04
9modified: 2024/01/17
10tags:
11 - attack.execution
12 - attack.t1047
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4624
19 ProcessName|endswith: '\WmiPrvSE.exe'
20 condition: selection
21falsepositives:
22 - Monitoring tools
23 - Legitimate system administration
24level: low
References
Related rules
- Application Removed Via Wmic.EXE
- Computer System Reconnaissance Via Wmic.EXE
- Hardware Model Reconnaissance Via Wmic.EXE
- Potential Product Class Reconnaissance Via Wmic.EXE
- Potential Product Reconnaissance Via Wmic.EXE