Detectionmediumtest

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 16cd277474-5c52-4423-a52b-ac2d7969902fwindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '6' # WMI
    condition: selection

False Positives

Legitimate WMI query

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Related Rules

SimilarDetectionmedium

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

cd277474-5c52-4423-a52b-ac2d7969902f

Status

test

Level

medium

Type

Detection

Created

Wed Aug 16

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub