DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Sigma rule (View on GitHub)
1title: DLL Execution Via Register-cimprovider.exe
2id: a2910908-e86f-4687-aeba-76a5f996e652
3status: test
4description: Detects using register-cimprovider.exe to execute arbitrary dll file.
5references:
6 - https://twitter.com/PhilipTsukerman/status/992021361106268161
7 - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
8author: Ivan Dyachkov, Yulia Fomina, oscd.community
9date: 2020-10-07
10modified: 2021-11-27
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.t1574
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\register-cimprovider.exe'
22 CommandLine|contains|all:
23 - '-path'
24 - 'dll'
25 condition: selection
26fields:
27 - CommandLine
28falsepositives:
29 - Unknown
30level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Register-cimprovider.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Initial Access via DLL Search Order Hijacking
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- Regsvr32 DLL Execution With Uncommon Extension
- Suspicious Printer Driver Empty Manufacturer