title: WMI Modules Loaded author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/10 description: Detects non wmiprvse loading WMI modules detection: SELECTION_1: EventID: 7 SELECTION_10: ImageLoaded: '*\fastprox.dll' SELECTION_11: Image: '*\WmiPrvSE.exe' SELECTION_12: Image: '*\WmiApSrv.exe' SELECTION_13: Image: '*\svchost.exe' SELECTION_14: Image: '*\DeviceCensus.exe' SELECTION_15: Image: '*\CompatTelRunner.exe' SELECTION_16: Image: '*\sdiagnhost.exe' SELECTION_17: Image: '*\SIHClient.exe' SELECTION_18: Image: '*\ngentask.exe' SELECTION_19: Image: '*\windows\system32\taskhostw.exe' SELECTION_2: ImageLoaded: '*\wmiclnt.dll' SELECTION_20: Image: '*\windows\system32\MoUsoCoreWorker.exe' SELECTION_21: Image: '*\windows\system32\wbem\WMIADAP.exe' SELECTION_3: ImageLoaded: '*\WmiApRpl.dll' SELECTION_4: ImageLoaded: '*\wmiprov.dll' SELECTION_5: ImageLoaded: '*\wmiutils.dll' SELECTION_6: ImageLoaded: '*\wbemcomn.dll' SELECTION_7: ImageLoaded: '*\wbemprox.dll' SELECTION_8: ImageLoaded: '*\WMINet_Utils.dll' SELECTION_9: ImageLoaded: '*\wbemsvc.dll' condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5 or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10) and not ((SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19 or SELECTION_20 or SELECTION_21))) falsepositives: - Unknown fields: - ComputerName - User - Image - ImageLoaded id: 671bb7e3-a020-4824-a00e-2ee5b55f385e level: high logsource: category: image_load product: windows modified: 2021/08/18 references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html status: experimental tags: - attack.execution - attack.t1047 yml_filename: sysmon_wmi_module_load.yml yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load