rules/windows/image_load/image_load_wmi_module_load.yml

title: WMI Modules Loaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
description: Detects non wmiprvse loading WMI modules
status: experimental
date: 2019/08/10
modified: 2022/01/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: image_load
    product: windows
detection:
    selection: 
        ImageLoaded|endswith:
            - '\wmiclnt.dll'
            - '\WmiApRpl.dll'
            - '\wmiprov.dll'
            - '\wmiutils.dll'
            - '\wbemcomn.dll'
            - '\wbemprox.dll'
            - '\WMINet_Utils.dll'
            - '\wbemsvc.dll'
            - '\fastprox.dll'
    filter:
        Image|endswith:
            - '\WmiPrvSE.exe'
            - '\WmiApSrv.exe'
            - '\svchost.exe'
            - '\DeviceCensus.exe'
            - '\CompatTelRunner.exe'
            - '\sdiagnhost.exe'
            - '\SIHClient.exe'
            - '\ngentask.exe'  # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
            - '\windows\system32\taskhostw.exe'  # c:\windows\system32\taskhostw.exe
            - '\windows\system32\MoUsoCoreWorker.exe'  # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
            - '\windows\system32\wbem\WMIADAP.exe'  # https://github.com/SigmaHQ/sigma/issues/1871
            - 'C:\Windows\Sysmon64.exe'
            - 'C:\Windows\Sysmon.exe'
            - 'C:\Windows\System32\wbem\unsecapp.exe'
            - '\logman.exe'
            - '\systeminfo.exe'
            - '\nvcontainer.exe'
            - 'C:\Windows\System32\wbem\WMIC.exe'
            - '\explorer.exe'
            - '\opera_autoupdate.exe'
            - '\MsMpEng.exe'
            - '\thor64.exe'
            - '\thor.exe'
    filter_generic:             # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter and not filter_generic
fields:
    - ComputerName
    - User
    - Image
    - ImageLoaded
falsepositives:
    - Unknown
level: informational  # too many false positives
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`title: WMI Modules Loaded`
			`id: 671bb7e3-a020-4824-a00e-2ee5b55f385e`
			`description: Detects non wmiprvse loading WMI modules`
			`status: experimental`
			`date: 2019/08/10`
fix: FPs noticed with Aurora 2022-01-12 11:32:34 +01:00			`modified: 2022/01/12`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`author: Roberto Rodriguez @Cyb3rWard0g`
			`references:`
Update Threat Hunter Playbook Reference 2021-05-22 01:01:33 -03:00			`- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`tags:`
			`- attack.execution`
			`- attack.t1047`
			`logsource:`
Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00			`category: image_load`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`product: windows`
			`detection:`
			`selection:`
			`ImageLoaded\|endswith:`
			`- '\wmiclnt.dll'`
			`- '\WmiApRpl.dll'`
			`- '\wmiprov.dll'`
			`- '\wmiutils.dll'`
			`- '\wbemcomn.dll'`
			`- '\wbemprox.dll'`
			`- '\WMINet_Utils.dll'`
			`- '\wbemsvc.dll'`
			`- '\fastprox.dll'`
			`filter:`
			`Image\|endswith:`
Update sysmon_wmi_module_load.yml 2021-06-15 16:16:28 +02:00			`- '\WmiPrvSE.exe'`
			`- '\WmiApSrv.exe'`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`- '\svchost.exe'`
			`- '\DeviceCensus.exe'`
			`- '\CompatTelRunner.exe'`
			`- '\sdiagnhost.exe'`
			`- '\SIHClient.exe'`
add WMI and powershell false positives 2020-07-09 10:26:54 -04:00			`- '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe`
			`- '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe`
be more specific about file location 2020-07-09 13:33:59 -04:00			`- '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least`
fix: FPs with WMIADAP.exe 2021-08-18 17:26:57 +02:00			`- '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871`
fix: FPs 2021-11-16 13:04:52 +01:00			`- 'C:\Windows\Sysmon64.exe'`
			`- 'C:\Windows\Sysmon.exe'`
			`- 'C:\Windows\System32\wbem\unsecapp.exe'`
fix: FP with logman.exe 2021-11-16 13:39:32 +01:00			`- '\logman.exe'`
fix: false positive with WMI rule 2021-11-17 18:59:22 +01:00			`- '\systeminfo.exe'`
fix: more false positive fixes 2021-11-16 23:27:00 +01:00			`- '\nvcontainer.exe'`
$frack113$ add WMIC.exe 2021-11-17 16:37:27 +01:00			`- 'C:\Windows\System32\wbem\WMIC.exe'`
fix: FPs found with Aurora 2021-11-25 15:35:58 +01:00			`- '\explorer.exe'`
			`- '\opera_autoupdate.exe'`
			`- '\MsMpEng.exe'`
fix: FPs noticed with Aurora 2022-01-12 11:32:34 +01:00			`- '\thor64.exe'`
			`- '\thor.exe'`
fix: FPs with WMI module rule 2021-11-19 12:15:01 +01:00			`filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to`
			`Image\|startswith:`
			`- 'C:\Program Files\'`
			`- 'C:\Program Files (x86)\'`
			`condition: selection and not filter and not filter_generic`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`fields:`
			`- ComputerName`
			`- User`
			`- Image`
			`- ImageLoaded`
			`falsepositives:`
			`- Unknown`
fix: more false positive filters 2021-11-24 16:58:53 +01:00			`level: informational # too many false positives`
Added rules files split into folders 2020-06-10 16:32:30 +02:00