Techniques
Sample rules
Windows WMI Impersonate Token
- source: splunk
- technicques:
- T1047
Description
The following analytic identifies a possible wmi token impersonation activities in a process or command. This technique was seen in Qakbot malware where it will execute a vbscript code contains wmi impersonation object to gain privilege escalation or as defense evasion. This Anomaly detection looks for wmiprvse.exe SourceImage having a duplicate handle or full granted access in a target process.
Detection logic
`sysmon` EventCode=10 SourceImage = "*\\wmiprvse.exe" GrantedAccess IN ("0x1478", "0x1fffff")
| stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmi_impersonate_token_filter`