Bumblebee WmiPrvSE execution pattern
Detects Bumblebee WmiPrvSE parent process manipulation
Sigma rule (View on GitHub)
1title: Bumblebee WmiPrvSE execution pattern
2id: 1620db43-fde5-45f3-b4d9-45ca6e79e047
3status: experimental
4description: Detects Bumblebee WmiPrvSE parent process manipulation
5author: TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
8date: 2022-09-26
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection:
14 ParentImage:endswith: 'WmiPrvSE.exe'
15 Image|endswith:
16 - 'ImagingDevices.exe'
17 - 'wabmig.exe'
18 condition: selection
19falsepositives:
20 - Unknown
21level: high
22tags:
23 - attack.defense-evasion
24 - attack.t1036
References
-
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. …
Read More
Related rules
- Process Memory Dump Via Comsvcs.DLL
- Suspicious Computer Account Name Change CVE-2021-42287
- Renamed ZOHO Dctask64 Execution
- CodePage Modification Via MODE.COM To Russian Language
- System Control Panel Item Loaded From Uncommon Location