DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Sigma rule (View on GitHub)
1title: DLL Execution Via Register-cimprovider.exe
2id: a2910908-e86f-4687-aeba-76a5f996e652
3status: test
4description: Detects using register-cimprovider.exe to execute arbitrary dll file.
5references:
6 - https://twitter.com/PhilipTsukerman/status/992021361106268161
7 - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
8author: Ivan Dyachkov, Yulia Fomina, oscd.community
9date: 2020/10/07
10modified: 2021/11/27
11tags:
12 - attack.defense_evasion
13 - attack.t1574
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\register-cimprovider.exe'
20 CommandLine|contains|all:
21 - '-path'
22 - 'dll'
23 condition: selection
24fields:
25 - CommandLine
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- Detection of PowerShell Execution via Sqlps.exe
- Devtoolslauncher.exe Executes Specified Binary
- Disabled IE Security Features
- DumpStack.log Defender Evasion