DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Sigma rule (View on GitHub)
1title: DLL Execution Via Register-cimprovider.exe
2id: a2910908-e86f-4687-aeba-76a5f996e652
3status: test
4description: Detects using register-cimprovider.exe to execute arbitrary dll file.
5references:
6 - https://twitter.com/PhilipTsukerman/status/992021361106268161
7 - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
8author: Ivan Dyachkov, Yulia Fomina, oscd.community
9date: 2020-10-07
10modified: 2021-11-27
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.execution
15 - attack.stealth
16 - attack.t1574
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\register-cimprovider.exe'
23 CommandLine|contains|all:
24 - '-path'
25 - 'dll'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
Related rules
- Exploiting SetupComplete.cmd CVE-2019-1378
- Potential Initial Access via DLL Search Order Hijacking
- Potential PrintNightmare Exploitation Attempt
- Potential Registry Persistence Attempt Via DbgManagedDebugger
- Regsvr32 DLL Execution With Uncommon Extension