Detectioncriticaltest

Wmiprvse Wbemcomn DLL Hijack - File

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Mon Oct 12Updated Fri Dec 02614a7e17-5643-4d89-b6fe-f9df1a79641cwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0008 · Lateral Movement

Techniques

T1047 · Windows Management Instrumentation

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Rule Metadata

Rule ID

614a7e17-5643-4d89-b6fe-f9df1a79641c

Status

test

Level

critical

Type

Detection

Created

Mon Oct 12

Modified

Fri Dec 02

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml

Raw Tags

attack.executionattack.t1047attack.lateral-movementattack.t1021.002

View on GitHub