New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom WMI Query Registry Configuration
2id: cd277474-5c52-4423-a52b-ac2d7969902f
3related:
4 - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
5 type: similar
6status: test
7description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-08-16
12tags:
13 - attack.defense-evasion
14 - attack.t1112
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 EventType: SetValue
21 TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
22 Details|startswith: '6' # WMI
23 condition: selection
24falsepositives:
25 - Legitimate WMI query
26level: medium
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry