Threat Huntlowtest
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g)Created Sat Aug 10Updated Mon Feb 24671bb7e3-a020-4824-a00e-2ee5b55f385ewindows
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic7 selectors
detection:
selection:
ImageLoaded|endswith:
- '\fastprox.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\WmiApRpl.dll'
- '\wmiclnt.dll'
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\explorer.exe'
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
- '\WaAppAgent.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_defender:
Image|endswith: '\MsMpEng.exe'
filter_optional_teams:
Image|contains:
- '\Microsoft\Teams\current\Teams.exe'
- '\Microsoft\Teams\Update.exe'
filter_optional_sysmon:
Image|endswith:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
detection.threat-hunting
Rule Metadata
Rule ID
671bb7e3-a020-4824-a00e-2ee5b55f385e
Status
test
Level
low
Type
Threat Hunt
Created
Sat Aug 10
Modified
Mon Feb 24
Path
rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml
Raw Tags
attack.executionattack.t1047detection.threat-hunting