Successful Account Login Via WMI

Jan 29, 2024 · attack.execution attack.t1047 ·

Detects successful logon attempts performed with WMI

Sigma rule (View on GitHub)

 1title: Successful Account Login Via WMI
 2id: 5af54681-df95-4c26-854f-2565e13cfab0
 3status: stable
 4description: Detects successful logon attempts performed with WMI
 5references:
 6    - Internal Research
 7author: Thomas Patzke
 8date: 2019/12/04
 9modified: 2024/01/17
10tags:
11    - attack.execution
12    - attack.t1047
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID: 4624
19        ProcessName|endswith: '\WmiPrvSE.exe'
20    condition: selection
21falsepositives:
22    - Monitoring tools
23    - Legitimate system administration
24level: low

References

Internal Research

Read More

Related rules

Application Removed Via Wmic.EXE
Computer System Reconnaissance Via Wmic.EXE
Hardware Model Reconnaissance Via Wmic.EXE
Potential Product Class Reconnaissance Via Wmic.EXE
Potential Product Reconnaissance Via Wmic.EXE