T1047 Wmiprvse Wbemcomn DLL Hijack

Aug 12, 2024 · attack.execution attack.t1047 attack.lateral-movement attack.t1021.002 ·

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Sigma rule (View on GitHub)

 1title: T1047 Wmiprvse Wbemcomn DLL Hijack
 2id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
 3status: test
 4description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
 8date: 2020-10-12
 9modified: 2022-02-24
10tags:
11    - attack.execution
12    - attack.t1047
13    - attack.lateral-movement
14    - attack.t1021.002
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 5145
21        RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
22    filter:
23        SubjectUserName|endswith: '$'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

Remote WMI Wbemcomn DLL Hijack — Threat Hunter Playbook

Offensive Tradecraft A threat actor could use a known DLL hijack vulnerability on the execution of wmiprvse.exe to accomplish code execution as a NETWORK SERVICE account. One way to perform a DLL h...

Read More

T1047 Wmiprvse Wbemcomn DLL Hijack

Sigma rule (View on GitHub)

References

Remote WMI Wbemcomn DLL Hijack — Threat Hunter Playbook

Related rules