PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
Sigma rule (View on GitHub)
1title: PSExec and WMI Process Creations Block
2id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
3status: test
4description: Detects blocking of process creations originating from PSExec and WMI commands
5references:
6 - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands
7 - https://twitter.com/duff22b/status/1280166329660497920
8author: Bhabesh Raj
9date: 2020/07/14
10modified: 2022/12/25
11tags:
12 - attack.execution
13 - attack.lateral_movement
14 - attack.t1047
15 - attack.t1569.002
16logsource:
17 product: windows
18 service: windefend
19 definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
20detection:
21 selection:
22 EventID: 1121
23 ProcessName|endswith:
24 - '\wmiprvse.exe'
25 - '\psexesvc.exe'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- PUA - CSExec Default Named Pipe
- PUA - RemCom Default Named Pipe
- smbexec.py Service Installation
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Metasploit Or Impacket Service Installation Via SMB PsExec