CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
f71d5848fee4ffb52c83f10fbf204b3aa5e2bb1b
hayabusa/rules/Sigma/sysmon_wmi_module_load.yml
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

75 lines
2.1 KiB
YAML
Raw Blame History

title: WMI Modules Loaded
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
description: Detects non wmiprvse loading WMI modules
detection:
SELECTION_1:
EventID: 7
SELECTION_10:
ImageLoaded: '*\fastprox.dll'
SELECTION_11:
Image: '*\WmiPrvSE.exe'
SELECTION_12:
Image: '*\WmiApSrv.exe'
SELECTION_13:
Image: '*\svchost.exe'
SELECTION_14:
Image: '*\DeviceCensus.exe'
SELECTION_15:
Image: '*\CompatTelRunner.exe'
SELECTION_16:
Image: '*\sdiagnhost.exe'
SELECTION_17:
Image: '*\SIHClient.exe'
SELECTION_18:
Image: '*\ngentask.exe'
SELECTION_19:
Image: '*\windows\system32\taskhostw.exe'
SELECTION_2:
ImageLoaded: '*\wmiclnt.dll'
SELECTION_20:
Image: '*\windows\system32\MoUsoCoreWorker.exe'
SELECTION_21:
Image: '*\windows\system32\wbem\WMIADAP.exe'
SELECTION_3:
ImageLoaded: '*\WmiApRpl.dll'
SELECTION_4:
ImageLoaded: '*\wmiprov.dll'
SELECTION_5:
ImageLoaded: '*\wmiutils.dll'
SELECTION_6:
ImageLoaded: '*\wbemcomn.dll'
SELECTION_7:
ImageLoaded: '*\wbemprox.dll'
SELECTION_8:
ImageLoaded: '*\WMINet_Utils.dll'
SELECTION_9:
ImageLoaded: '*\wbemsvc.dll'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10)
and not ((SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or
SELECTION_15 or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19
or SELECTION_20 or SELECTION_21)))
falsepositives:
- Unknown
fields:
- ComputerName
- User
- Image
- ImageLoaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
level: high
logsource:
category: image_load
product: windows
modified: 2021/08/18
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
status: experimental
tags:
- attack.execution
- attack.t1047
yml_filename: sysmon_wmi_module_load.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/image_load
Reference in New Issue View Git Blame Copy Permalink