PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Sigma rule (View on GitHub)

 1title: PSExec and WMI Process Creations Block
 2id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
 3status: test
 4description: Detects blocking of process creations originating from PSExec and WMI commands
 5references:
 6    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
 7    - https://twitter.com/duff22b/status/1280166329660497920
 8author: Bhabesh Raj
 9date: 2020-07-14
10modified: 2022-12-25
11tags:
12    - attack.execution
13    - attack.lateral-movement
14    - attack.t1047
15    - attack.t1569.002
16logsource:
17    product: windows
18    service: windefend
19    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
20detection:
21    selection:
22        EventID: 1121
23        ProcessName|endswith:
24            - '\wmiprvse.exe'
25            - '\psexesvc.exe'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

Related rules

to-top