Detectionlowstable

Successful Account Login Via WMI

Detects successful logon attempts performed with WMI

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Thomas PatzkeCreated Wed Dec 04Updated Wed Jan 175af54681-df95-4c26-854f-2565e13cfab0windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4624
        ProcessName|endswith: '\WmiPrvSE.exe'
    condition: selection

False Positives

Monitoring tools

Legitimate system administration

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

5af54681-df95-4c26-854f-2565e13cfab0

Status

stable

Level

low

Type

Detection

Created

Wed Dec 04

Modified

Wed Jan 17

Author

Path

rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml

Raw Tags

attack.executionattack.t1047