New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
Sigma rule (View on GitHub)
1title: New BgInfo.EXE Custom WMI Query Registry Configuration
2id: cd277474-5c52-4423-a52b-ac2d7969902f
3related:
4 - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
5 type: similar
6status: test
7description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
8references:
9 - Internal Research
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-08-16
12tags:
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.t1112
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
22 Details|startswith: '6' # WMI
23 condition: selection
24falsepositives:
25 - Legitimate WMI query
26level: medium
References
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird