Wmiprvse Wbemcomn DLL Hijack - File

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Sigma rule (View on GitHub)

 1title: Wmiprvse Wbemcomn DLL Hijack - File
 2id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
 3status: test
 4description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 8date: 2020/10/12
 9modified: 2022/12/02
10tags:
11    - attack.execution
12    - attack.t1047
13    - attack.lateral_movement
14    - attack.t1021.002
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection:
20        Image: System
21        TargetFilename|endswith: '\wbem\wbemcomn.dll'
22    condition: selection
23falsepositives:
24    - Unknown
25level: critical

References

Related rules

to-top