EXPLORE DETECTIONS
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
WMIC Unquoted Services Path Lookup - PowerShell
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
WMImplant Hack Tool
Detects parameters used by WMImplant
WmiPrvSE Spawned A Process
Detects WmiPrvSE spawning a process
Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Write Protect For Storage Disabled
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
WScript or CScript Dropper - File
Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
Wscript Shell Run In CommandLine
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
WSL Kali-Linux Usage
Detects the use of Kali Linux through Windows Subsystem for Linux
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL