title: WMI Modules Loaded
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects non wmiprvse loading WMI modules
detection:
  SELECTION_1:
    EventID: 7
  SELECTION_2:
    ImageLoaded:
    - '*\wmiclnt.dll'
    - '*\WmiApRpl.dll'
    - '*\wmiprov.dll'
    - '*\wmiutils.dll'
    - '*\wbemcomn.dll'
    - '*\wbemprox.dll'
    - '*\WMINet_Utils.dll'
    - '*\wbemsvc.dll'
    - '*\fastprox.dll'
  SELECTION_3:
    Image:
    - '*\WmiPrvSE.exe'
    - '*\WmiApSrv.exe'
    - '*\svchost.exe'
    - '*\DeviceCensus.exe'
    - '*\CompatTelRunner.exe'
    - '*\sdiagnhost.exe'
    - '*\SIHClient.exe'
    - '*\ngentask.exe'
    - '*\windows\system32\taskhostw.exe'
    - '*\windows\system32\MoUsoCoreWorker.exe'
    - '*\windows\system32\wbem\WMIADAP.exe'
    - '*C:\Windows\Sysmon64.exe'
    - '*C:\Windows\Sysmon.exe'
    - '*C:\Windows\System32\wbem\unsecapp.exe'
    - '*\logman.exe'
    - '*\systeminfo.exe'
    - '*\nvcontainer.exe'
    - '*C:\Windows\System32\wbem\WMIC.exe'
  SELECTION_4:
    Image:
    - C:\Program Files\\*
    - C:\Program Files (x86)\\*
  condition: (SELECTION_1 and (SELECTION_2 and  not (SELECTION_3)) and  not (SELECTION_4))
falsepositives:
- Unknown
fields:
- ComputerName
- User
- Image
- ImageLoaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
level: medium
logsource:
  category: image_load
  product: windows
modified: 2021/11/20
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
status: experimental
tags:
- attack.execution
- attack.t1047
ruletype: SIGMA