security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Win WMI Persistence

Browse Source 
http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
https://twitter.com/mattifestation/status/899646620148539397
This commit is contained in:
Florian Roth
2017-08-22 10:02:54 +02:00
parent 8f4a780c3b
commit 332f7d27da
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/other/win_wmi_persistence.yml
+19
View File
@@ -0,0 +1,19 @@
title: WMI Persistence
status: experimental
description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10)
author: Florian Roth
reference: https://twitter.com/mattifestation/status/899646620148539397
logsource:
product: windows
service: wmi
detection:
selection:
EventID: 5861
keywords:
- 'CommandLineEventConsumer'
- 'CommandLineTemplate'
- 'Binding EventFilter'
condition: selection and 1 of keywords
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high