Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Sigma rule (View on GitHub)
1title: Wmiprvse Wbemcomn DLL Hijack
2id: 7707a579-e0d8-4886-a853-ce47e4575aaa
3status: test
4description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
5references:
6 - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
8date: 2020-10-12
9modified: 2022-10-09
10tags:
11 - attack.execution
12 - attack.t1047
13 - attack.lateral-movement
14 - attack.t1021.002
15logsource:
16 product: windows
17 category: image_load
18detection:
19 selection:
20 Image|endswith: '\wmiprvse.exe'
21 ImageLoaded|endswith: '\wbem\wbemcomn.dll'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Offensive Tradecraft A threat actor could use a known DLL hijack vulnerability on the execution of wmiprvse.exe to accomplish code execution as a NETWORK SERVICE account. One way to perform a DLL h...
Read More
Related rules
- T1047 Wmiprvse Wbemcomn DLL Hijack
- Wmiprvse Wbemcomn DLL Hijack - File
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- HackTool - Potential Impacket Lateral Movement Activity