Suspicious WmiPrvSE Child Process

Detects suspicious and uncommon child processes of WmiPrvSE

Sigma rule (View on GitHub)

 1title: Suspicious WmiPrvSE Child Process
 2id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
 3related:
 4    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
 5      type: similar
 6    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 7      type: similar
 8    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
 9      type: obsolete
10status: test
11description: Detects suspicious and uncommon child processes of WmiPrvSE
12references:
13    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
14    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
15    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
16    - https://twitter.com/ForensicITGuy/status/1334734244120309760
17author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
18date: 2021-08-23
19modified: 2023-11-10
20tags:
21    - attack.execution
22    - attack.defense-evasion
23    - attack.t1047
24    - attack.t1204.002
25    - attack.t1218.010
26logsource:
27    product: windows
28    category: process_creation
29detection:
30    selection_parent:
31        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
32    selection_children_1:
33        # TODO: Add more LOLBINs or suspicious processes that make sens in your environment
34        Image|endswith:
35            - '\certutil.exe'
36            - '\cscript.exe'
37            - '\mshta.exe'
38            - '\msiexec.exe'
39            - '\regsvr32.exe'
40            - '\rundll32.exe'
41            - '\verclsid.exe'
42            - '\wscript.exe'
43    selection_children_2:
44        # This is in a separate selection due to the nature of FP generated with CMD
45        Image|endswith: '\cmd.exe'
46        CommandLine|contains:
47            - 'cscript'
48            - 'mshta'
49            - 'powershell'
50            - 'pwsh'
51            - 'regsvr32'
52            - 'rundll32'
53            - 'wscript'
54    filter_main_werfault:
55        Image|endswith: '\WerFault.exe'
56    filter_main_wmiprvse:
57        Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
58    filter_main_msiexec:
59        Image|endswith: '\msiexec.exe'
60        CommandLine|contains: '/i '
61    condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
62falsepositives:
63    - Unknown
64level: high

References

Related rules

to-top