WMI Module Loaded By Non Uncommon Process

 1title: WMI Module Loaded By Non Uncommon Process
 2id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
 3status: test
 4description: Detects a WMI modules being loaded by an uncommon process
 5references:
 6    - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
 7author: Roberto Rodriguez @Cyb3rWard0g
 8date: 2019/08/10
 9modified: 2023/11/27
10tags:
11    - attack.execution
12    - attack.t1047
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        ImageLoaded|endswith:
19            - '\fastprox.dll'
20            - '\wbemcomn.dll'
21            - '\wbemprox.dll'
22            - '\wbemsvc.dll'
23            - '\WmiApRpl.dll'
24            - '\wmiclnt.dll'
25            - '\WMINet_Utils.dll'
26            - '\wmiprov.dll'
27            - '\wmiutils.dll'
28    filter_main_generic:
29        Image|contains:
30            - ':\Windows\explorer.exe'
31            - ':\Windows\Sysmon.exe'
32            - ':\Windows\Sysmon64.exe'
33            - ':\Windows\System32\'
34            - ':\Windows\SysWOW64\'
35            - '\Microsoft\Teams\current\Teams.exe'
36            - '\Microsoft\Teams\Update.exe'
37    filter_optional_other:
38        Image|endswith:
39            - '\WindowsAzureGuestAgent.exe'
40            - '\WaAppAgent.exe'
41    filter_optional_thor:
42        Image|endswith:
43            - '\thor.exe'
44            - '\thor64.exe'
45    filter_optional_defender:
46        Image|endswith: '\MsMpEng.exe'
47    filter_optional_dotnet:
48        Image|contains:
49            - ':\Windows\Microsoft.NET\Framework\'
50            - ':\Windows\Microsoft.NET\Framework64\'
51        Image|endswith: '\ngentask.exe'
52    filter_optional_programfiles:
53        Image|contains:
54            - ':\Program Files\'
55            - ':\Program Files (x86)\'
56    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58    - Unknown
59level: low