WMI Execution via Microsoft Office Application

Identifies the execution of Windows Management Instrumentation (WMI) via a Microsoft Office application.

id:e6be5ffe-c765-4e13-962d-7eaae07aeaec categories:detect confidence:medium os:windows created:8/16/2019 updated:8/16/2019

MITRE ATT&CK™ Mapping

tactics:Execution techniques:T1047 Windows Management Instrumentation

Query

image_load where
  process_name in ("excel.exe", "winword.exe",
                   "powerpnt.exe", "outlook.exe") and
  image_name in ("wbemdisp.dll", "wbemcomn.dll", "wbemprox.dll",
                 "wmiutils.dll", "wbemsvc.dll", "fastprox.dll")

Contributors

• David French

References

• https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-8de93338c16