Detectionhightest

UEFI Persistence Via Wpbbin - ProcessCreation

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jul 184abc0ec4-db5a-412f-9632-26659cddf145windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image: 'C:\Windows\System32\wpbbin.exe'
    condition: selection

False Positives

Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

4abc0ec4-db5a-412f-9632-26659cddf145

Status

test

Level

high

Type

Detection

Created

Mon Jul 18

Author

Path

rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1542.001