Detectionhightest

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Mon Jul 18e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185fwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename: 'C:\Windows\System32\wpbbin.exe'
    condition: selection

False Positives

Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f

Status

test

Level

high

Type

Detection

Created

Mon Jul 18

Author

Path

rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1542.001