New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom WMI Query Registry Configuration
2id: cd277474-5c52-4423-a52b-ac2d7969902f
3related:
4 - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
5 type: similar
6status: test
7description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-08-16
12tags:
13 - attack.defense-evasion
14 - attack.t1112
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
21 Details|startswith: '6' # WMI
22 condition: selection
23falsepositives:
24 - Legitimate WMI query
25level: medium
References
Related rules
- New BgInfo.EXE Custom DB Path Registry Configuration
- New BgInfo.EXE Custom VBScript Registry Configuration
- Windows Event Log Access Tampering Via Registry
- Removal of Potential COM Hijacking Registry Keys
- Modification of IE Registry Settings