PSExec and WMI Process Creations Block

Aug 12, 2024 · attack.execution attack.lateral-movement attack.t1047 attack.t1569.002 ·

Detects blocking of process creations originating from PSExec and WMI commands

Sigma rule (View on GitHub)

 1title: PSExec and WMI Process Creations Block
 2id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
 3status: test
 4description: Detects blocking of process creations originating from PSExec and WMI commands
 5references:
 6    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
 7    - https://twitter.com/duff22b/status/1280166329660497920
 8author: Bhabesh Raj
 9date: 2020-07-14
10modified: 2022-12-25
11tags:
12    - attack.execution
13    - attack.lateral-movement
14    - attack.t1047
15    - attack.t1569.002
16logsource:
17    product: windows
18    service: windefend
19    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
20detection:
21    selection:
22        EventID: 1121
23        ProcessName|endswith:
24            - '\wmiprvse.exe'
25            - '\psexesvc.exe'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Attack surface reduction rules reference - Microsoft Defender for Endpoint

Lists details about Microsoft Defender for Endpoint attack surface reduction rules on a per-rule basis.

Read More
x.com

Read More

PSExec and WMI Process Creations Block

Sigma rule (View on GitHub)

References

Attack surface reduction rules reference - Microsoft Defender for Endpoint

x.com

Related rules