UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Sigma rule (View on GitHub)
1title: UEFI Persistence Via Wpbbin - ProcessCreation
2id: 4abc0ec4-db5a-412f-9632-26659cddf145
3status: test
4description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
5references:
6 - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
7 - https://persistence-info.github.io/Data/wpbbin.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/07/18
10tags:
11 - attack.persistence
12 - attack.defense_evasion
13 - attack.t1542.001
14logsource:
15 product: windows
16 category: process_creation
17detection:
18 selection:
19 Image: 'C:\Windows\System32\wpbbin.exe'
20 condition: selection
21falsepositives:
22 - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
23level: high
References
-
-
Windows Platform Binary Table Location: UEFI Classification: Criteria Value Permissions Other Security context System Persistence type Other Code type EXE Launch type Automatic Impact Non-destructi...
Read More
Related rules
- UEFI Persistence Via Wpbbin - FileCreation
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow