sigma |
win_susp_lsass_dump_generic.yml |
- '\wmiprvse.exe' |
DRL 1.0 |
sigma |
win_susp_wmi_login.yml |
ProcessName: "*\\WmiPrvSE.exe" |
DRL 1.0 |
sigma |
sysmon_wmi_module_load.yml |
description: Detects non wmiprvse loading WMI modules |
DRL 1.0 |
sigma |
sysmon_wmi_module_load.yml |
- '\WmiPrvSe.exe' |
DRL 1.0 |
sigma |
sysmon_wmi_persistence_commandline_event_consumer.yml |
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' |
DRL 1.0 |
sigma |
win_defender_psexec_wmi_asr.yml |
- '\wmiprvse.exe' |
DRL 1.0 |
sigma |
sysmon_cred_dump_lsass_access.yml |
- '\wmiprvse.exe' |
DRL 1.0 |
sigma |
win_apt_ta505_dropper.yml |
description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents |
DRL 1.0 |
sigma |
win_apt_ta505_dropper.yml |
ParentImage\|endswith: '\wmiprvse.exe' |
DRL 1.0 |
sigma |
win_impacket_lateralization.yml |
# parent is wmiprvse.exe |
DRL 1.0 |
sigma |
win_impacket_lateralization.yml |
- '*\wmiprvse.exe' # wmiexec |
DRL 1.0 |
sigma |
win_shell_spawn_susp_program.yml |
- '*\wmiprvse.exe' |
DRL 1.0 |
sigma |
win_susp_powershell_parent_process.yml |
- '\wmiprvse.exe' |
DRL 1.0 |
sigma |
win_wmiprvse_spawning_process.yml |
title: Wmiprvse Spawning Process |
DRL 1.0 |
sigma |
win_wmiprvse_spawning_process.yml |
description: Detects wmiprvse spawning processes |
DRL 1.0 |
sigma |
win_wmiprvse_spawning_process.yml |
ParentImage\|endswith: '\WmiPrvSe.exe' |
DRL 1.0 |
sigma |
win_wmiprvse_spawning_process.yml |
- '\WmiPrvSE.exe' |
DRL 1.0 |
sigma |
win_wmi_spwns_powershell.yml |
- '*\wmiprvse.exe' |
DRL 1.0 |
sigma |
sysmon_raw_disk_access_using_illegitimate_tools.yml |
- '\wmiprvse.exe' |
DRL 1.0 |
malware-ioc |
nukesped_lazarus |
. WmiPrvse.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
malware-ioc |
nukesped_lazarus |
. Wmiprvse.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
atomic-red-team |
hta.md |
## MSHTA - Wmiprvse Spawning CMD |
MIT License. © 2018 Red Canary |
atomic-red-team |
hta.md |
Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc. |
MIT License. © 2018 Red Canary |
atomic-red-team |
hta.md |
// Child of wmiprvse |
MIT License. © 2018 Red Canary |
atomic-red-team |
Office_Macro_COM.md |
Wmiprvse.exe->cmd->powershell. |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1546.003.md |
WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote> |
MIT License. © 2018 Red Canary |
signature-base |
crime_cn_campaign_njrat.yar |
$s4 = “WmiPrvSE.exe” fullword wide |
CC BY-NC 4.0 |
signature-base |
crime_cn_campaign_njrat.yar |
$a1 = “WmiPrvSE.exe” fullword wide |
CC BY-NC 4.0 |
signature-base |
crime_cn_campaign_njrat.yar |
$s2 = “Temporary Projects\WmiPrvSE\” ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s8 = “wmiprvse.exe” fullword ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s10 = “wmiprvse.exe” fullword ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s8 = “wmiprvse.exe” ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s5 = “wmiprvse.exe” fullword ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s3 = “wmiprvse.exe” fullword ascii |
CC BY-NC 4.0 |
signature-base |
gen_cn_hacktools.yar |
$s6 = “wmiprvse.exe” fullword ascii |
CC BY-NC 4.0 |