Rules Contributing to T1047 Wmiprvse Wbemcomn DLL Hijack Alert

The following rules detect suspicious SMB traffic related to WMI DLL Hijack activities. Any one or more of these will trigger the T1047 Wmiprvse Wbemcomn DLL Hijack Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

Rule ID

network_security_13

Query

{'selection': {'appid_name': 'smb', 'metadata|contains': ['\\\\wbem\\\\wbemcomn.dll']}, 'condition': 'selection'}

Log Source

Stellar Cyber Network Events configured for:

Requirements: Network/Security/Modular sensor must be able to capture network traffic

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0002, T1047, TA0008, T1021.002

References

https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html

Severity

75

Suppression Logic Based On

appid_name
srcip
dstip
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2024/07/13	high	Unknown

Stellar Cyber version 5.4.0

© 2024 Stellar Cyber. All rights reserved.
Support | Contact Us |