PSExec and WMI Process Creations Block

 1title: PSExec and WMI Process Creations Block
 2id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
 3status: test
 4description: Detects blocking of process creations originating from PSExec and WMI commands
 5references:
 6    - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
 7    - https://twitter.com/duff22b/status/1280166329660497920
 8author: Bhabesh Raj
 9date: 2020/07/14
10modified: 2022/12/25
11tags:
12    - attack.execution
13    - attack.lateral_movement
14    - attack.t1047
15    - attack.t1569.002
16logsource:
17    product: windows
18    service: windefend
19    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
20detection:
21    selection:
22        EventID: 1121
23        ProcessName|endswith:
24            - '\wmiprvse.exe'
25            - '\psexesvc.exe'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

• Use attack surface reduction rules to prevent malware infection

  

  Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• PUA - CSExec Default Named Pipe
• PUA - RemCom Default Named Pipe
• smbexec.py Service Installation
• Metasploit Or Impacket Service Installation Via SMB PsExec
• Metasploit Or Impacket Service Installation Via SMB PsExec