WmiPrvSE Spawned A Process
Detects WmiPrvSE spawning a process
Sigma rule (View on GitHub)
1title: WmiPrvSE Spawned A Process
2id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
3related:
4 - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
5 type: similar
6 - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
7 type: similar
8status: stable
9description: Detects WmiPrvSE spawning a process
10references:
11 - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
12author: Roberto Rodriguez @Cyb3rWard0g
13date: 2019-08-15
14modified: 2023-03-23
15tags:
16 - attack.execution
17 - attack.t1047
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\WmiPrvSe.exe'
24 filter_logonid:
25 LogonId:
26 - '0x3e7' # LUID 999 for SYSTEM
27 - 'null' # too many false positives
28 filter_system_user:
29 User|contains: # covers many language settings
30 - 'AUTHORI'
31 - 'AUTORI'
32 filter_wmiprvse:
33 Image|endswith: '\WmiPrvSE.exe'
34 filter_werfault:
35 Image|endswith: '\WerFault.exe'
36 filter_null: # some backends need the null value in a separate expression
37 LogonId: null
38 condition: selection and not 1 of filter_*
39falsepositives:
40 - False positives are expected (e.g. in environments where WinRM is used legitimately)
41level: medium
References
-
Offensive Tradecraft# Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by by adversaries...
Read More
Related rules
- Application Removed Via Wmic.EXE
- Application Terminated Via Wmic.EXE
- Blue Mockingbird
- Blue Mockingbird - Registry
- Computer System Reconnaissance Via Wmic.EXE