WmiPrvSE Spawned A Process
Detects WmiPrvSE spawning a process
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
ParentImage|endswith: '\WmiPrvSe.exe'
filter_logonid:
LogonId:
- '0x3e7' # LUID 999 for SYSTEM
- 'null' # too many false positives
filter_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_wmiprvse:
Image|endswith: '\WmiPrvSE.exe'
filter_werfault:
Image|endswith: '\WerFault.exe'
filter_null: # some backends need the null value in a separate expression
LogonId: null
condition: selection and not 1 of filter_*False positives are expected (e.g. in environments where WinRM is used legitimately)
Tactics
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
Detects similar activity. Both rules may fire on overlapping events.
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Detects similar activity. Both rules may fire on overlapping events.