Detectionhightest
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Roberto Rodriguez (Cyb3rWard0g), Open Threat Research (OTR)Created Mon Oct 12Updated Thu Feb 24f6c68d5f-e101-4b86-8c84-7d96851fd65cwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filterFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
f6c68d5f-e101-4b86-8c84-7d96851fd65c
Status
test
Level
high
Type
Detection
Created
Mon Oct 12
Modified
Thu Feb 24
Path
rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml
Raw Tags
attack.executionattack.t1047attack.lateral-movementattack.t1021.002