Detectionhightest

Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)Created Mon Oct 12Updated Sun Oct 097707a579-e0d8-4886-a853-ce47e4575aaawindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith: '\wmiprvse.exe'
        ImageLoaded|endswith: '\wbem\wbemcomn.dll'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

threathunterplaybook.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0008 · Lateral Movement

Techniques

T1047 · Windows Management Instrumentation

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Rule Metadata

Rule ID

7707a579-e0d8-4886-a853-ce47e4575aaa

Status

test

Level

high

Type

Detection

Created

Mon Oct 12

Modified

Sun Oct 09

Author

Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)

Path

rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml

Raw Tags

attack.executionattack.t1047attack.lateral-movementattack.t1021.002

View on GitHub