LoFP / false positives are expected (e.g. in environments where winrm is used legitimately)

Techniques

t1047

Sample rules

WmiPrvSE Spawned A Process

source: sigma
technicques:
- t1047

Description

Detects WmiPrvSE spawning a process

Detection logic

condition: selection and not 1 of filter_*
filter_logonid:
  LogonId:
  - '0x3e7'
  - 'null'
filter_null:
  LogonId: null
filter_system_user:
  User|contains:
  - AUTHORI
  - AUTORI
filter_werfault:
  Image|endswith: \WerFault.exe
filter_wmiprvse:
  Image|endswith: \WmiPrvSE.exe
selection:
  ParentImage|endswith: \WmiPrvSe.exe